DRJ Fall 2019

Conference & Exhibit

Attend The #1 BC/DR Event!

Fall Journal

Volume 32, Issue 3

Full Contents Now Available!

This article focuses on the topic of workplace violence, the assessment of an organization’s incident management plan, and the critical role placed upon an effective incident management plan to successfully address such an occurrence within an organization.

What is Workplace Violence?

Workplace violence is violence, or the threat of violence, against workers. It can occur at or outside the workplace and can range from threats and verbal abuse to physical assaults and homicide, and is one of the leading causes of job-related deaths. However it manifests itself, workplace violence is a growing concern for employers and employees nationwide.

The Threat

There are several classifications of perpetrators who might engage in workplace violence. Such perpetrators can be broadly described as follows:

  • Outsiders: Someone who has no legitimate relationship with the victim or workplace and usually enters the workplace to commit a robbery or other criminal act.
  • Customers: Someone who is a recipient of a service provided by the affected workplace or victim.
  • Employee: Someone who has an employment-related relationship with the workplace victim. You may have current or former employees in this situation.
  • Employee-related outsider: Someone who is possibly a current or former spouse/lover, a relative, acquaintance or some other person who has a dispute involving an employee of the workplace.

There are many factors that can lead to violence, including anxiety, vulnerability, and low morale. Knowing signs of these conditions can help you and your staff, become more proactive in addressing workplace violence. Failing to recognize and react to these signs when they lead to workplace violence and subject you and your employees to injury, legal entanglements, loss of productivity, property damage, or even loss of life.

According to the Occupational Safety and Health Administration (OSHA), there are three categories of workplace violence:

  • Type I, Stranger Violence: Stranger-versus-employee violence, such as armed robbery, accounts for 60 percent of all workplace homicides.
  • Type II, Client Violence: Client violence occurs when a client whom the organization serves attacks an employee. A staff or faculty member being attacked by a student best exemplifies client violence. It is estimated that 30 percent of all workplace homicides are a result of client violence.
  • Type III, Employee Violence: Employee violence occurs when an employee attacks another employee. This accounts for 10 percent of all workplace homicides. The term employee may also refer to temporaries and subcontractors who spend a significant about of their workday in your workplace. This category also includes domestic violence.

An organization’s incident management plan should be broad in scope to address each of these potential sources of employee exposure to workplace violence. Is yours?

Who is Vulnerable?

The Census of Fatal Occupational Injuries (CFOI) reported that 5,703 workplace fatalities occurred in 2004. This represents an increase of 2 percent over 2003. Of the 5,703 fatalities, 14 percent were related to assaults and violent acts, of which 10 percent were homicides.

According to a report published by the Bureau of Justice Statistics (BJS), an average of 1.7 million people in the U.S. were victims of violent crime while working each year from 1993 through 1999. An estimated 75 percent of these incidents were simple assaults, while 19 percent were aggravated assaults. For the same time period, more than 800 workplace homicides per year were recorded by the CFOI.

What Is the Cost?

According to the Bureau of Labor Statistics, 8,672 workplace homicides occurred between 1992 and 2001, which cost U.S. businesses nearly $6.5 billion dollars – a mean cost per incident of $800,000.

Violence-related fatalities are only the tip of the iceberg. According to the U.S. Department of Justice, a half-million employees miss 1.8 million days of work each year, resulting in more than $55 million in lost wages, not including days covered by sick and annual leave. Workplace violence accounts for 16 percent of the more than 6.5 million acts of violence experienced by individuals age 12 and over.

Data from the European Union shows a very significant correlation between health-related absences and violence at work. Thirty-five percent of workers exposed to physical violence, 34 percent of those exposed to bullying, and 31 percent of those exposed to sexual harassment were found to be absent from work, compared to an average of 23 percent among workers in general.

Stress and violence cause immediate and often long-term disruption to interpersonal relationships, the organization of work and the overall working environment. Cost factors include direct costs such as those deriving from absenteeism, turnover, accidents, illness, disability, and death; indirect costs include diminished function, performance, quality and timely production, and competitiveness.

Increasing attention is also given to the negative impact of violence on intangible factors such as company image, motivation and commitment, loyalty to the enterprise, creativity, working climate, openness to innovation, knowledge-building, learning, etc.

OSHA guidelines state that employers can be cited if violence is a recognized hazard in their workplaces and they do nothing to prevent it. Therefore, if the company has received notice that a former partner has threatened to harm an employee or has made attempts to harm an employee at work, the company will have a duty to protect that employee. This duty extends to the threatened harm, or any other harm that could logically flow from the threatened harassment, such as injury to other employees who attempt to protect the threatened employee.

No organization can afford to maintain a climate of negligence where lives of innocent people hang in the balance. In 1999, a jury awarded $7.9 million dollars to the families of two men killed in a workplace violence incident in North Carolina. According to the attorney for the family, “…This man was a ticking time bomb and the management knew it, yet they did nothing to protect their employees…”

This should be a wake-up call to human resources (HR). Nearly all fatal workplace-violence incidents have been followed by lawsuits brought by the victims’ aggrieved families. In the period of fact-finding that follows, organizations are legally compelled to provide information to the parties bringing suit. Managers and supervisors closest to the tragedy are often called to attest to their lack of awareness of violence-prevention issues while management officials have been required to testify, under oath, as to their organization’s failure to prevent the tragedy.

As a result, many organizations have agreed to secret multi million-dollar settlements rather than make a public admission of negligence. No human resource executive would relish having to take the witness stand to defend such a failure.

The longer term impact and cost of a workplace violence act, affected companies experiencing high employee turnover after an incident, possibly because employees commonly view safety in the workplace as the employer’s responsibility (and this trust relationship has been breeched), and potentially employees feeling a sense of loss and vulnerability in the safety and security of their workplace environment – it is no longer safe at work or with this particular employer.

Proactive Incident Management Planning

What is your organization’s responsibility (ethically, morally, legally) to provide a safe and secure working environment?

The Occupational Safety and Health Act’s (OSH Act’s) General Duty Clause requires employers to provide a safe and healthful workplace for all workers covered by the OSH Act. Employers who do not take reasonable steps to prevent or abate a recognized violence hazard in the workplace can be cited.

What documented, proactive steps have been taken by your organization that demonstrates an awareness of the responsibility to protect employees, visitors, the general public, who may be on your premises during the work day?

While many organizations undergo intensive and often extensive disaster preparedness or business interruption preparation, developing plans and testing scenarios, many equally fail to consider potential incidents that while falling short of fires, floods, earthquakes, and system-wide telecommunications failure, still pose a substantial risk and liability to the organization.

Incident management (sometime referred to as crisis management), is a critical component of an organization’s overall disaster management strategy. While disaster recovery and business continuity plans (BCP) are designed to get the organization back onto its “operational feet,” they can be viewed as longer term strategies.

Incident management addresses the immediate, shorter term “event” which is addressed, contained and resolved. An event can escalate into a larger crisis which may result in the organization moving to implement its disaster recovery plan and eventually its BCP.

In the case of any event, its impact on personnel and operations is always a matter of degree, and planning should include at its onset, a thorough risk analysis. This is a key tool in identifying at-risk factors on the organization level, and conducting a basic individual threat assessment will identify threats at the personnel level. It is prudent that such analysis and assessment be coordinated with your organization’s human resources department so as not to violate state or federal legislation governing personnel practices.

In the desktop training scenario at the beginning of this article, the example of Tom and Betty could have been nothing more than a personal quarrel between two people. The severity of the event escalated into something more disastrous, when Betty’s actions threatened innocent people, caused bodily harm and impacted daily internal operations.

Crafting a Response to Workplace Violence

When events occur and their containment is impracticable, then an organization must be prepared to implement its organizational incident management plan.

  1. Does your organization have a master incident management plan?
  2. What types of incidents does it address?
  3. Who is responsible for its implementation?
  4. Does your organization maintain multiple incident management plans addressing various classifications or types of incident events?
  5. What procedures are in place, which actively tests the credibility, functionality, and feasibility of the organization’s incident management plan(s)?
  6. What analysis is performed to examine current business practices to identify security shortcomings that may materially affect personnel safety and security?

After an analysis of existing procedures, the security screening system for a Detroit hospital was expanded to include stationary metal detectors supplemented by hand-held units. The system prevented the entry of 33 handguns, 1,324 knives, and 97 mace-type sprays during a six-month period.

How would your organization, how would its personnel, react to the scenario involving Tom and Betty? Are your personnel prepared? Are you? Are you sure?

Assessing a Workplace Violence Incident Management Plan

The following list of questions should be asked in the assessment and evaluation of an organization’s workplace violence incident management plan to determine the organization’s ability to effectively respond to an occurrence of workplace violence.

This list is neither all inclusive nor are the questions listed in any particular order. Additionally the reader is advised to examine the additional references and resources at the end of this article for further sources of information on workplace violence.

Plan Assessment Questions

  1. How will emergency and first responders be notified? By whom? Via what type of equipment?
  2. Who (first responders) has a map of your organization’s physical layout to assist in rescue attempts as well as assault procedures, if warranted.
  3. Are procedures established that encourage employees to report and log all incidents and threats of workplace violence?
  4. If there are any injuries or causalities, how will office personnel communicate this to external first responders?
  5. Does your organization have policies and procedures in place, supported by documented training that all employees must follow, should an incident as described above occur?
  6. Does the organization provide workplace violence policy and guidelines and training in multiple languages or based on languages spoken in your workplace, domestically and globally?
  7. How are these policies and procedures tested? Documented?
  8. Who within the organization is immediately responsible on scene to assume control under such a scenario as described above?
  9. Does the organization have direct contact to local authorities for immediate response to an occurrence of workplace violence as described above?
  10. In cases, as warranted, has the organization established a preauthorization with law enforcement to negotiate with any hostile party on behalf of the organization? Will law enforcement, upon arriving on the scene, automatically assume command and control over the incident?
  11. Has the organization identified an expert(s) experienced and thoroughly trained in how to professionally assess the violent nature of an individual and the likelihood of h/she becoming violent? Is this person (or persons) on staff, on retainer, on call?
  12. Does the organization publish a list of whom to call and resources available to assist with issues? Is this list retained as part of the incident management plan?
  13. Have hiring procedures been enhanced to include checking backgrounds, references, validating identity, and training all personnel involved in interviewing to look for violence-prone tendencies?
  14. Does the organization provide on going training for managers, supervisors and employees in how to identify early warning signs, how to appropriately intervene to address them and how to deescalate potentially volatile or hostile situations?
  15. Does specific training focus on developing core competencies in effective conflict resolution, hostility/anger management and emotional intelligence?
  16. Is there anyone on the organization’s incident response team, trained and certified as a crisis negotiator? Has ongoing training been sustained?
  17. What training has your organization’s key management personnel and human resource personnel received in workplace violence, negotiating with hostile individuals, emergency first aid, etc.? How often is this training updated?
  18. Have all employees been informed that no one other than the approved negotiator should attempt to interact with any individual threatening harmful actions to or against another employee, customer, visitor, etc.?
  19. What potential legal ramifications could the organization face by allowing an untrained company employee take charge of negotiations?
  20. What potential legal ramifications could the organization face by allowing a third-party to negotiate on its behalf with any individual threatening harmful actions to or against another employee, customer, visitor, etc.?
  21. Does the organization carry appropriate liability coverage which would address the ramifications of a workplace violence event?
  22. If first responders or law enforcement personnel must enter your facility, are there procedures in place to secure sensitive areas? To escort these personnel through secure areas?
  23. If first responders or law enforcement personnel must enter your facility, are there procedures in place to prevent unauthorized individuals from entering your organization with them? Are there procedures to restrict law enforcement to designated areas only?
  24. Does the incident management plan address responsibility for coordinating media contact, information disclosure, and official company statements regarding the incident?
  25. Are procedures in place to prevent the news media from filming sensitive or restricted areas? From speaking with any employee directly involved in the incident, immediately following incident resolution? Are media personnel required to obtain organizational permission to speak with any employee, while the employee is on company premises?
  26. What procedures are in place for emergency evacuation by employees from any office area, should employees be required to flee a workplace violence incident as described above?
  27. What procedures are in place to evacuate all non-affected personnel away from the incident site and to secure their safe exit from the facility?
  28. Are all onsite, nonemployees, (e.g., contractors, visitors, etc.) required to sign a waiver of liability prior to being allowed to enter or work on company property?
  29. What procedures are in place that specifically address a coordinated proactive reaction to an act of workplace violence, which may occur within any of the organization’s operating facilities (e.g., offices, showrooms, production lines, reception areas, etc.)?
  30. Are selected employees trained in emergency medical first aid, which would be applicable for use under a broad range of potential medical emergencies?
  31. What type of training do employees receive, that provides detailed instructions on procedures to follow whenever a firearm may be involved in an act of workplace violence?
  32. What type of employee assistance program (EAP) is in place within the organization that not only provides information on workplace violence but, also what services employees may take advantage of, should they need personal counseling and or assistance?
  33. Are all visitors entering company property required to pass through a metal detector or be subject to individual search and screening?
  34. Are all reception areas separated and protected from direct access by external visitors?
  35. Has the organization used or is the organization considering the use of Security Prevention Through Environmental Design (SPTED) – engineering/architectural controls processes when building or retrofitting facilities to maximize crime prevention?
  36. Does the receptionist area have panic buttons and emergency contact/call capabilities linked directly to the organization’s internal security function and externally to local law enforcement? Does the emergency call activate a silent alarm versus an audible alarm?
  37. Are all employees, especially new hires and visitors informed of emergency evacuation procedures? Are these procedures modified and communicated to all employees when evacuation routes require modification due to onsite construction, remodeling, etc.?
  38. Has the organization established a prearranged signal (a name, phrase, or code), that when issued (via companywide intercom and/or IT message broadcast via desktop PCs), which instructs employees to immediately evacuate the facility or conversely to seek shelter and safety in a lockable office?
  39. Depending on the nature of the company’s operations, do security procedures warrant that employees not be allowed to receive visitors (e.g., clients, guests, family members, etc.) at their workstations? Rather, all guests, clients, etc., must be met by the employee at a pre-designated meeting area, thus, preventing anyone but authorized employees from entering the organization’s work areas.
  40. Do procedures exist to enable management to account for all employees working on company property at the time of the incident, and to verify that all employees not involved in the incident are safe and secure?
  41. Are all visitor areas, walkways, parking lots, etc. monitored 24/7 via closed circuit TV for any indication of unusual and/or unauthorized activity?
  42. Are all company parking areas used by employees secured and monitored?
  43. Are visitor parking lots consistently monitored and/or patrolled for unusual activity or vehicles parked for unusually long or extended periods?
  44. Does the incident management strategy for protection against workplace violent crimes, provide field personnel with handheld alarms or noise devices and/or communication device to be able to get help, e.g., cellular phones, pager, etc. to use while in the field along with processes for monitoring their whereabouts.
  45. Are employees advised and counseled by HR that at the employee’s request, the employee may notify HR of individuals that have been directed by the legal system to refrain from contacting or approaching the employee. Have such individuals, their names, description (photo if possible), vehicle description, and license number been communicated to the organization’s security function? Are the methods that are currently in place capable of preventing such contact within your organization or on its property?
  46. Do procedures exist that enable the delivery of prompt medical evaluation and treatment after the incident?
  47. Do procedures allow for the reporting of violent incidents promptly to the local police? Who is authorized to file these reports, and what procedures exist to ensure that no sensitive data is released intentionally or accidentally?
  48. Are victims informed of their legal right to prosecute perpetrators of workplace violent crimes?
  49. Does management discuss the circumstances of the incident with staff members, and encourage employees to share information about ways to avoid similar situations in the future?
  50. Does the incident management plan provide for stress debriefing sessions and posttraumatic counseling services to help workers recover from a violent incident?
  51. Are all violent incidents and threats investigated, and are procedures in place to monitor trends in violent incidents by type or circumstance, and institute corrective actions? Who receives these reports and how are follow up actions identified and sustained?
  52. Does the organization’s incident management plan call for the development and distribution of an occupant emergency plan? Every company office or facility should distribute to each employee a viable occupant emergency plan outlining procedures to follow in the event of fire, bomb threats, civil demonstrations, threats of violence both inside and outside the office, natural disasters, etc.
  53. Has the organization enhanced physical security measures and established a workplace violence audit team to conduct on-going assessments and effectiveness of security efforts?
  54. Are organizational personnel, security and safety policies synchronized to ensure they create an integrated workplace violence prevention effort?
  55. Has the organization developed incident response procedures to deal with an incident which includes having a crisis communication and public relations plan in place before a crisis occurs? Additionally, has the plan addressed preestablishing a critical incident debriefing process including identifying skilled counselors to be able to assist victims after an incident?
  56. Is the organization’s exact address/location known to first responders? Is the organization’s address and building numbers clearly visible on the front and top of all company buildings?
  57. Does the incident management plan address implementing a zero tolerance workplace violence policy that strictly prohibits employees, as well as anyone else on company premises or engaged in a company related activity (including customers and visitors), from behaving in a violent or threatening manner?
  58. Does the incident management plan addressing workplace violence provide managers with a support system when they have to fire an employee, which would include but, not be limited to a threat assessment team, (which includes HR managers, labor relations representatives, and district managers)?
  59. Are policies and procedures in place that explicitly state how the incident response team is to be assembled in the event of a violence act and who is responsible for immediate care of the victim(s), reestablishing work areas and processes, and organizing and carrying out stress debriefing sessions with victims, their coworkers, and perhaps the families of victims and coworkers?
  60. Do procedures exist that establish a “one-voice” policy concerning ALL external communications related to any event occurring on or within company owned properties? How does your organization prevent the leakage of “sound bites” or overheard conversations, which may be disclosed inappropriately to the media or to family members, which ultimately prove to be erroneous? Could the failure to prevent this leakage and potential for miscommunication, lead to a loss of corporate integrity or equally critical, legal liability?
  61. What procedures are in place to ensure the accurate and expeditious communication of “event details” to authorized family members and appropriate media outlets?
  62. Is your organization prepared? How do you know? Can you substantiate it?

The plan should be specific to the type of facility, building, and the workers it covers. In general, the major sections and points that a workplace violence incident management plan should address include but, are not limited to the following:

  1. Procedures for calling for help
  2. Procedures for calling for medical assistance
  3. Procedures for notifying the proper authorities or whoever is acting in their place, security personnel and the police
  4. Emergency escape procedures and routes
  5. Safe places to escape inside and outside of the facility
  6. Procedures to secure the work area where the incident took place
  7. Procedures for accounting for all employees if a facility is evacuated
  8. Procedures for identifying personnel who may be called upon to perform medical or rescue duties
  9. Training and educating employees in workplace violence issues and the emergency action plan
  10. Procedures for regularly evaluating and updating the plan
  11. Procedures for debriefing participants to identify lessons learned.


Workplace violence isn’t selective, it can and does occur, unfortunately with more frequency than anyone would like. Given this reality, the potential for such an event occurring within your organization should be a probability taken very seriously, and addressed within your organization’s incident management plan and overall disaster preparedness strategy.

This article addressed workplace violence that was directed at (or between) individuals, a type three violence category. Workplace violence should not however be viewed as an event limited to or directed only at employees/personnel. Workplace violence can take on many forms and regardless of its form or target; the potential liabilities to the organization remain the same – critical.

Additional types of workplace violence which may fall outside the Tom and Betty scenario as described at the beginning of this article but, which, no less should be addressed in a comprehensive incident management plan. Organizations can face both legal and financial liabilities due to their being ill prepared in recognizing, containing, and mitigating workplace violence. Being proactive and not reactive to the reality of workplace violence is the key to the successful implementation of a workplace violence incident management strategy.

Al Marcella, Ph.D., CISA, CISM president of Business Automation Consultants, LLC, is an internationally recognized public speaker, researcher, and seminar leader with more than 25 years of experience in IT audit, security and assessing internal controls. An author of numerous articles and 26 books on various audit and security related subjects, Dr. Marcella’s latest book is “Business Continuity, Disaster Recovery and Incident Management Planning: A Resource for Ensuring Ongoing Enterprise Operations,” (Institute of Internal Auditors, www.theiia.org, ISBN 0-89413-527-9). Dr. Marcella can be reached at (314) 961-2006, ext. 7544 or via e-mail at This email address is being protected from spambots. You need JavaScript enabled to view it., www.businessautomationconsultants.com.