Skip to Content
Continuous Performance Improvement

Could Yours Be the Site of the Next Mass Shooting?

John Pryor | September 20, 2019

On This Page
A security officer watches a person dressed in black leave an office building

The plethora of active shooters in US cities this year has adversely affected a retail store, garlic festival, university, synagogue, and many others. Will your location be next? Mass shootings cause not only deaths and injuries; they also cause major property damage and legal expenses.

Traditional risk management works not only for "traditional" risks but also for active shooters. To manage this risk, you need to conduct effectively the three processes within a risk management system.

They are the following.

  • Risk identification and measurement
  • Risk reduction and control
  • Risk transfer and assumption

Risk Identification and Measurement

When we think about risk identification, most of us immediately identify "liability to third parties." This can include significant defense costs incurred to prove your organization was not legally liable for the terrorism. Measurements of liability risks are usually shown as "unlimited."

A business owner generally is not liable to anyone injured by the criminal acts of a third party—unless the criminal act was foreseeable. As mass shootings become more commonplace, it's possible the current perception of such events as unforeseeable may begin to shift.

Many of us (including the media) overlook multiple property risks. They can include the following.

  • Property damage to buildings and their contents
  • Business interruption
  • Extra cleanup expense
  • Additional security upgrades
  • Crisis management
  • Event cancellation

Property losses are more definitive to measure than those of liability risks (e.g., replacement cost [before depreciation] of buildings, equipment, inventory, etc.). Income is measured in terms of net profits that otherwise would have been earned—but for the active shooter—plus expenses that continue even though operations are shut down.

Risk Reduction and Control

The federal government has enacted at least two laws to mitigate—if not eliminate—this risk for certain business owners.

In 2002, the Support Anti-Terrorism by Fostering Effective Technologies Act was passed to ensure that organizations would not be deterred from using technologies that could help protect the public. A prevalent example is a system of metal detectors at the entrance to any event. All such systems help; none is perfect. The shooter in the Gilroy Garlic Festival was able to cut through cyclone fencing to enter—even with police patrol with a canine partner—the perimeter.

Leaders in each community need to create a collaborative method to mitigate this risk through early intervention and prevention. It needs to be very broad-based to include clergy, mental health professionals, and others who can report behavior patterns, social media content, gun and ammunition collections, and other signals. Professionals may be constricted by the federal Health Insurance Portability and Accountability Act confidentiality statutes.

In 2005, Congress enacted the Protection of Lawful Commerce in Arms Act to ensure manufacturers and sellers of firearms and ammunition are nor "liable for the harm caused by those who criminally or unlawfully misuse firearms." There are exceptions (e.g., "negligent entrustment" and knowingly a state or federal statute).

Risk Transfer and Assumption

Risks are transferred, not eliminated, when an insurance policy is purchased. Risks also can be transferred to others by a hold harmless provision in noninsurance contracts. Risks can be assumed either in full or in part (with deductibles and self-insured retentions).

All insurance policies are required to include terrorism coverage through a federal reinsurance program called the Terrorism Risk Insurance Act (TRIA). Otherwise, terrorism would be expressly excluded; it's a commercially uninsurable risk. Our federal government can accept this risk transfer by using our tax dollars to fund what would bankrupt commercial insurers.

A premium is charged, but coverage is contingent on the US Treasury secretary certifying an act as a terrorist act. Any single year is limited to $100 billion in losses—so there is a "cap" beyond which even Congress is unable to go in accepting this risk transfer.

Because of these limitations, the private market is beginning to respond to this need in a creative manner. One popular example is from Lloyd's of London. It offers the following specified peril calculable coverages.

  • Legal liability (excluding those covered by TRIA)
  • Victim coverages (e.g., psychiatric care, medical or dental care, rehabilitation, death benefits, etc.)
  • Business income (business interruption) and extra expense
  • Public relations and crisis management
  • Employee counseling
  • Additional temporary security measures

If your location or event is conceivably within the scope (no pun intended) of an active shooter's site selection, ask your broker for a proposal of this coverage. Then, you should be well-positioned to determine the best steps to measure, reduce, and transfer this horrendous risk.

Doing so, you'll enjoy a major benefit of sound risk management—a quiet night's sleep.


Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.