How to train for the un-trainable, and kick risk to the curb By Jason Sexton

Risk is a general term. And it ought to be. It is always around us to varying levels. There are all sorts of mitigation concepts and products. But risk can never be fully eliminated, and that means there is always a chance that something out of the ordinary could happen. Across the board risk is assessed and handled accordingly through assessment, policy, legalisation and training, but this cannot prepare for every eventuality. That’s a scary thought. What do you do when an incident occurs that you haven’t prepared for?

Let’s delve into a simple framework to apply to the unknown; an idea or process to help you consider your approach to the unplanned and unchartered risk event. We’ll discuss:

A real-life scenario of an unexpected risk event

The gap in risk knowledge on the ground

Using what I call ‘Critical Action Points’ (CAPs) to manage the risk event/zone

Let’s say it’s a routine evening for your Security team at a place of mass gathering. The hustle and bustle of commuters heading home from work, people going to enjoy dinner and drinks, or simply passing through. There is an almighty ‘BANG’. A call is made over the radio for Security to respond as reports are coming in that a large panel of glass has shattered onto the escalators below. Someone may have been hurt.

On arrival Security find the two escalators running with patrons still going up and down, stepping over a pile of smashed glass. There is a gap in the panelling above the escalator, but there are still shards of safety glass preciously hanging. Security are generally trained to deal with the immediate issue, so get to work moving patrons away and stopping the one escalator with glass on it directly below where it fell. The rest of the damaged glass falls, sending it flying and causing a small cut to a passer-by. Maintenance arrive and group with security to discuss the issue. Patrons still find ways to take shortcuts through the incident. Eventually a larger exclusion zone is set in place.

Considering the above scenario (a real-life situation), it is easy to see that some form of risk management has taken place, albeit that security staff on the ground may not know to call it that. When maintenance arrive, they conduct a risk assessment and realise more glass could fall, prompting security to extend the exclusion zone. In this discussion, resources group together to learn and gain information, but this takes time. What happens around the incident in the mean time is risk exposure that you don’t want. It isn’t that security, maintenance or the risk responders aren’t trained – it is that they are trained in specific areas. Sometimes that can be limiting. This type of incident is rare, so there is no clear procedure for isolating such an incident. Everyone works together to get there eventually, but it leaves passers-by, staff and the business entity still open to risks. How do you plan for something like this? What if this turned out to be an explosion, or caused by a malicious act?

Risk planning is something most organisations undertake, and there are always broad statements and response plans. When people are assigned jobs, they learn over time how to handle situations that occur regularly, while developing a ‘work it out as we go’ approach for anything unknown. This is a legitimate response to unknown incidents, but it means that people are exposed to risks for a longer period while personnel work through all the possibilities. If we know that we want to reduce risk first, then we must provide a simple formula for any person to follow when they come across a developing situation not encountered before.

We can summarise key steps in responding to unknown incidents in a formula I refer to as ‘Critical Action Points’ or CAPs. The idea here is to get to the core of what we need to do as a first responder. Simply put, when something happens in front of you, or you arrive at an incident and you’re not sure where to begin, the key is to stop people getting in harm’s way – reduce risk to people and you reduce risk overall. Sometimes there may appear to be competing priorities (such as a fire and trying to evacuate people, or a first aid incident and trying to preserve life) but all scenarios have a ‘safety first’ component which is key to arming any individual with the ability to respond to the unknown. Critical Action Points (CAPs) can be ordered as follows:

Safety first.

Make sure it is safe for you to approach. If not, or there is doubt, do not approach.

Isolate or Evacuate.

If you can approach safely, isolate the immediate area to reduce people entering the risk zone and try to make it safe (e.g. turn off gas supplies, etc.). If it is not safe, start evacuating from where you are outwards, away from the risk zone.

You can only do what you can do.

Cordon and Contain.

This may involve barriers, caution tape, closing doors (while remaining able to provide emergency services access) as examples. This can be done at the risk zone as you isolate it, or further away if you have had to evacuate.

If you are not confident on the risk level of the situation, make the containment bigger.

Get help.

Call for the appropriate services to remedy the problem as per your usual protocols.

These four Critical Action Points (CAPs) are an ideal way to simplify the approach to managing risk for everyone. We adapt to the inherit requirements of our roles and manage frequent risks well, but when a new, unusual, or challenging situation arises, we must pause and consider our response. Using CAPs puts the emphasis on safety; mitigating risk first and foremost to yourself, and then to others.

For all businesses, risk practitioners, security and first responders, the CAPs method can be applied to help keep people safe and in turn reduce risk and exposure to all involved, including the organisations bottom line.

Jason Sexton

Jason has been working in the security industry for over 10 years in both Australia and New Zealand, combining experience in major events, asset protection, crowd control, gaming, training and operations management. He holds a Diploma of Security and Risk Management and a Bachelor of Information Systems. Jason actively works in the industry as a consultant and security manager. You can find him on LinkedIn at