Run, Hide and Fortify®: A Recommended Approach for Businesses

Run, Hide and Fortify®: A Recommended Approach for Businesses

22:45 27 September in Business Continuity Planning, Corporate Security, Crisis Response, Personal Safety, Security Consulting, Travel Safety, Workplace Violence

John Farrar, our guest blogger this month, brings us the final article in the Run, Hide and Fortify® series. This article concentrates on businesses pre-planning for the worst-case scenarios – A recommended approach for Businesses.

Businesses that take steps to prepare for the types of incidents discussed in Article I and II of this series, will find a carry over to improvements in their overall functioning to other types of events and increased business resiliency. People would be surprised to know how many temporary evacuations occur all over the country for all kinds of situations ranging from potential HAZMAT exposures to extreme weather and Law Enforcement situations. Pre-planning for these worst-case scenarios will create organizational flexibility and make the more likely “lesser” events much easier to manage and mitigate.

Every company should have some basic emergency plans in place. While planning tools and acronyms can assist, it still boils down to identifying the potential threats, their impact to the business and their likelihood of occurrence. After identifying the risks, you can plan on how to mitigate them. Obviously, you will spend most of your available resources on the most likely of threats.

Years ago, I read a book on IT security, the technology it discussed is long out of date but the underlining principals still stick with me. It really stressed the point that you need to focus on your most critical processes and resources. An example is how traditional security focuses so much on the physical aspects, such as access control and their physical premise, but tend to skimp on securing their most important assets. For many companies, their primary product is their intellectual property. It amazes me how many companies appear to skimp on digital security that protects their most critical resources such as the source code of their products or other important aspects such as employee email. You have to spend the time to identify the critical and most absolute mission essential aspects of your business and how to protect them.

Hacktivism or breaking into networked computers for some political or social cause has been around for a long time but is increasingly becoming a more prevalent threat. There is also an ever-growing movement in Academia to place it into the same context as a legitimate or legal form of protest. The idea behind it is since there is no community or common “space” in the digital realm for protesting, such as in the traditional brick and mortar business, that it should be legal to “occupy” or protest on some “offending” companies or organization’s website. These are all things that should be discussed more in boardrooms.

Plans should be in place for fires, Tornados, Earthquakes or other environmental issues where the business resides. I wonder how many businesses in Pierce County, Washington that are in the potential pathway of a possible lahar or mudflow that could occur if Mt. Rainier were to erupt again have evacuation plans in place.

Employers should have rosters of their employees and emergency points of contacts for their families. In case some disaster does occur it would be beneficial to have a communication plan in place prior to an event. Decision making in the aftermath of tragedy isn’t always sound. Facility Managers and Property Owners should have emergency points of contact. Facility Managers should know how to shut off the utilities, know where their insurance information is located and any other vital records.

Accommodations for those with special needs or disabilities need to be planned for in advance. An obvious example would be having alternative escape routes available for those in wheelchairs at a Health Care Facility.

I keep repeating myself but the key is to plan and prepare as much as feasible prior to an event. Evacuation drills should be run with the same frequency as Fire drills or other environmentally specific drills such as tornado or earthquake.

As your plan finalizes, take the time to coordinate with the various First Responders in your area. SWAT teams are always looking for places to train or at the very least might want to do a walkthrough of your business to look at potential unique hazards at your location. Establishing rapport with the locals can never hurt and might provide further insights.

Post Incident


Once the situation is stabilized there will be a great deal confusion. If your business was involved it’s now part of a crime scene and responding officers will have secure it from potential crime scene contamination. Try to gather your employees in a safe location. Officers and or Detectives will want to interview them. There might be items of evidence lying around. Try not to disturb things.

Rumors are rampant during these types of situations so try and establish a point of contact with Law Enforcement so that there is just one point of communication going back and forth. It will improve the flow of communication. This is another time for patience. A lot of adrenaline has been pumped out and nerves will be on edge. If there are any employees that appear to be overly traumatized try and coordinate a Mental Health professional to screen them and prepare a plan for follow-up. This is another time where prior coordination and pre-planning will come in handy.

Continuity of Operations

The sad reality is sometimes bad things happen to good people. A little up front preparation can become the difference between life and death both for individuals and businesses. As I stated above identifying the mission critical aspects to your business and having backup plans can make the shift back to “normalcy” go a lot smoother. Identify your mission essential positions and processes and have backup plans in place. It’s far easier referring to your previously written plans and doing a check the block as you go through them as opposed to creating one on the fly. Think redundancy, as I was taught in explosives training, you always want a redundant initiation device. 3 is 2, 2 is 1. Have a backup plan and then a backup plan to the backup.


This concludes our three-part Run, Hide and Fortify® series. My hope is that there is enough useful information in this series to help create an action plan for you or your business.

About the author

John Farrar graduated from the University of Washington and has been a Police Officer for over 20 years in a large Metropolitan City and served in a variety of positions including Crime Analyst for 5 years.

John has training in a wide variety of fields including Interview/Interrogation, Surveillance, Eastern European Organized Crime, Crime Analysis, Terrorism Analysis, Terrorism Awareness and advanced training in Criminal Investigative Analysis (Profiling). His technical training consists of hardware/software, preservation of digital evidence, management of digital investigations and computer forensics as well as Cyber Terrorism on network security.

He is also a graduate of the DEA Intelligence Analysis Course taught at Quantico, Virginia.

For further information on Security, Terrorism and other items of interest, check out John’s blog at