In a country flooded with both firearms and “troubled young men,” where government and law enforcement show little ability to stop the absolute worst from happening even as the absolute worst keeps happening, how does a CEO protect their workforce?
It may be the last thing anyone wants to talk about, but for those running companies—especially companies of any scale—it’s hardly a hypothetical question, says Tom Conley, President and CEO of The Conley Group.
For 46 years, as a police captain, a Navy criminal investigations officer and in running his Des Moines, Iowa-based corporate security firm, Conley has seen again and again how a few good—or bad—decisions can make all the difference when it comes to protecting people and property from the worst in human nature.
In his view the increasing number of mass shootings are the result of toxic alienation, a breakdown in community, a volatile economy and a level of Covid-era anger and resentment he routinely sees rising to an explosive rage—and it isn’t going to stop anytime soon. “The level of mental illness out there is a level I’ve never seen before,” he says.
That doesn’t mean you are powerless—far from it—says Conley. But like all forms of risk management, real security doesn’t happen on its own, he says. It takes focus, planning and effort. Risk management boils down to:
- What can hurt me?
- How bad can it hurt me?
- What can I do about it?
“While no security program can completely dissuade a likely offender, one of key objectives of a quality security program to deny a likely offender a suitable environment and a suitable target, thus dramatically decreasing the probability that a likely offender will attempt an action because of the low probability of the likely offender being successful,” says Conley. “This ‘target hardening’ is one of the very best forms of crime prevention. This is true for internal and external threats. In short, the ability of anyone to commit any crime or act of violence against an organization will depend largely on the potency of the security program.”
To get there, he suggests CEO adopt an Enterprise Security Risk Management (ESRM) approach to safety and security that is led by a Chief Security Officer (CSO). The CSO should be a direct report to the president or CEO. The CSO’s domains should include:
- Safety and Risk Management
- Physical Security (Armed Security Personnel, Locks, Lights, Executive Protection)
- Electronic Security (Card Access, CCTV, Alarms)
- Virtual Security (Cyber / Chief Information Security Officer)
- Enterprise Safety
- Internal Investigations and Intelligence
- Business Continuity and Disaster Recovery (Two Interdependent But Separate Functions)
“A properly executed security program provides an ‘adequate’ level of protection for people, property and information,” says Conley. “An ‘adequate’ level of protection means there is equilibrium between risk mitigation, insurance and acceptance. Put another way, all known risks have been identified and mitigated so the organization has an environment that is as safe as is reasonably possible without investing one penny more than is absolutely needed.”
In a conversation, Conley shared insights, edited for length and clarity:
Mass shootings are in the headlines all the time lately. How should we think about this in the context of the workplace?
Dynamic events unfold and are over in seconds, normally not minutes. So, once the police are notified, there’s a series of events that have to happen before they’re ever notified, let alone respond, get on scene and find the shooter. If you don’t have armed security personnel who are capable of engaging and taking out a shooter, the police cannot get there in time to make a measurable difference in the outcome. That’s just a fact.
People don’t want guards armed, because they look at Armed and Dangerous, they look at Paul Blart: Mall Cop. They look at their security, which are probably minimum-wage level people, and they imagine them with a gun, and it’s horrifying. I wouldn’t be any different.
They need to switch paradigms and look at their own protective apparatus. What normally happens is the security gets relegated to maybe HR or the maintenance person. It doesn’t get funded properly because there’s no demonstrated value. It’s this sick circle of incompetency where the security program doesn’t demonstrate value. In many cases, it doesn’t have value.
If you have a good security program, the chances that anybody is going to come and try to do something wrong go way down. Bad guys do risk management too. In fact, there was a study done with felons who have assaulted and shot police officers during a vehicle stop. During the interview, they ask what made them attack this officer on versus another officer. Their answer is, “I thought I could take them.”
We are a nation that’s awash in guns and awash in crazy, angry people. As a CEO, what do you need to be thinking about before something terrible happens?
You need that foundational security program. Most organizations don’t have that. The guard’s sort of at the door, and HR gets involved if there’s a complaint, but not much else really happens. Part of the outflow of a security program is not only training, but an integration of everyone into the security team. In other words, security is everybody’s responsibility.
How that manifests is if you see or hear an employee who’s talking about killing people and that kind of stuff, they know to report it and they feel safe in reporting it. If you don’t have that mechanism in place, it’s like, “Well, I probably should tell somebody, but I really don’t want to snitch.” Or the female—most often—who has finally left an abusive relationship, she’s living somewhere where the ex, soon-to-be ex, doesn’t know where she’s living, but she can’t change her place of work.
The question is, does she tell her employer about her situation or not? We suggest that it’s a mandatory reporting to the security department, so they can take steps to not only protect her but the entire workforce. Because what spouses will do is they’ll come to the workforce, kill the person and kill anybody who gets in their way. And especially, if they’ve worked there for a while, people know the husband or the boyfriend, so they’ll let them in.
So, there’s some things that security needs to do immediately upon learning that, to alert the workforce without sort of badmouthing him, “Hey, we have this incident, this person is not allowed on our property. If anybody observes him, call this person.”
If you have that security mechanism in place, people have already thought about those kinds of issues and have taken steps to mitigate it in advance. If you don’t have it, most people will not know what to do, and they won’t do anything. And that’s where people get in, and they’re targeted.
What’s changing about the workplace—how may it be different than it was even just a couple years ago in regards to some of these threats?
I call it the balloon principle. Some people have a baseline where their balloon is chock full, it’s right at that breaking point, whereas they could put more air in before 2020. Now, their balloon breaks because the pressurization has reached critical mass and it bursts. That’s the best analogy I could think of.
Some people are disruptive, only a few are destructive. Figuring which is which is a very special skill that most HR people don’t possess because nobody’s trained them in that. It’s different if you have a good security program or if you don’t, because an investigative function is a part of the CSO. If you look at two 40-year-old males, there’s a big, big difference in the threat from the first guy, who has a loving wife, has a family, money in the bank and the second male, who’s got a gambling problem, who’s getting a divorce, who’s living in an apartment, and whose son has cancer.
They represent two very different threat profiles. That’s where investigative analysis comes in. What’s this person’s stage in life? What are their stressors? Do they have plenty of money, or are they short of money? You can get some of that information by talking with their coworkers, but a lot of it is going to come from social media. There hasn’t been one mass shooter [recently] that hasn’t been part of message boards and websites who hasn’t talked about killing people and been accustomed to that by other like-minded people.
It also makes the case, I imagine, for managers really getting to know their people, paying attention, asking how they’re doing and what they’re doing in their lives?
What managers need to look for are behavioral changes. People who commit workplace violence get into this mental rabbit hole. What you want to do is look at people who become loners, people who have a fascination with weapons, people that talk about, “Hey, you know, that guy got fired from that company. He should do something to him.”
I’m not talking about guys over a break talking about shotguns, going hunting. I’m talking about somebody who’s fascinated with guns, knives, weapons. As people withdraw from others, others withdraw from that individual. There’s this paranoia that sets in. The individual who’s not feeling good, all of a sudden feels that people are not really engaging him anymore. That builds their paranoia that the company’s after him.
One of the reasons that you need somebody to interdict that individual is to have that individual talk about that, to assure them that nobody’s after him, the company’s not after them. Because, short of facts, people will build all sorts of things in their mind. The human brain is designed to try to make sense out of bits and pieces of information. So they can either form that narrative themselves, or you can help them correct that narrative. That’s where that change in behavior and noticing that really helps. I’m a big believer in EAPs [employee assistance programs].
The number one thing employers can do is let people know that they’re appreciated. It’s free, and it’s the one thing that very few people do. That’s not only good for retention, and motivation, and production, but it’s also good for the general culture.
If it’s time to terminate somebody, that’s where you need that investigator in there with HR. You never want to fire people on a Friday. Fire them on a Monday afternoon, end of day, ask them to stay, and after the workforce leaves, gather up their things. Don’t march them out in front of their coworkers with their worldly belongings in a little box. One of the reasons you want the investigative arm of the organization to handle it is, it takes their supervisor and their manager out of it. The employee’s talking with somebody who’s never reprimanded them. It’s a neutral party in terms of dealing with that individual.
Reach an agreement with the person about what you’re going to say in a memo or say to people when they’re gone. Don’t ever badmouth them, because they have other people there who they know who are going to tell them.
People retaliate when they believe their dignity has been stripped of them. So, never strip anybody of their dignity. Be very, very, very careful nobody does that.