Q&A with Ed Butler, Chief Resilience Officer at Pool Re
Following our exclusive publication of the Pool Re SOLUTIONS Annual Review 2021, CTB shares an exclusive interview with Ed Butler concerning contemporary threats, the impact of climate change on the terrorism and the importance of collaboration
Ed, your annual review certainly made for an interesting albeit daunting read. Is our current security situation really that bleak?
Yes and I’m sorry not to be more positive but I think my review does paint a pretty realistic picture of the current and future security situation. We are facing a perfect storm of possible nation state conflict in Ukraine, Chinese seizure of Taiwan, an accelerating nuclear programme in Iran and an evolving, complex and confusing terrorist threat landscape. From my perspective, the global terrorism landscape is more dangerous and diverse than it was pre 9/11. Wrap around this the long term consequences of a global pandemic, climate change, fiscal and financial pressures on the global economy and growing malicious cyber activity and you are left with a pretty uncertain and challenging future.
A major theme of your report was the diversification of terrorist threat actors, targets and methodologies seen over the last 20 years. Which of these changes poses the greatest challenge for CT professionals and governments?
I think the main challenge is probably the diversification of methodologies. As the range of attack methodologies continues to broaden, the Counter Terrorism Police (CTP) and MI5 can’t take their eyes off legacy threats, such as large truck bombs (VBIEDs), as they could still happen. In simple terms; ‘nothing falls off the plate’ while the resources to deal with the scale and breadth of the threat remain the same. In addition, I am concerned that in these resource constrained times, coupled with the current focus on unsophisticated methodologies, that we are not investing enough time in looking at high-impact, so called ‘spectacular’ events.
The strategic challenge facing governments is how to address the underlying causes and drivers of terrorism, be they political polarisation, social inequalities, economic hardship, or growing extremism between left wing, right wing and Islamists. These are fundamental challenges which cannot be resolved by the CT Police and security services alone; they require long term, and very sizeable investment to address the core problems within our society and our communities.
Which contemporary threats do you think represent the greatest risk and what steps can we take to better understand and mitigate them?
From my perspective it has to be CBRN, terrorist use of drones followed by cyber. In early 2001, when I was in charge of the UK’s leading military CT capability, I was hosting a discreet conference on the terrorist use of CBR material and I remember summing up that we would see the terrorist use of a WMD (Weapon of Mass Destruction) in our lifetimes. None of us thought that only nine months later Al Qaeda would fly two aircraft into the Twin Towers and achieve catastrophic, WMD, effect. Here we are now, 20 years on, with the chilling statement in last year’s Integrated Review stating that a terrorist group will successfully use a CBRN weapon by 2030.
That’s why we at Pool Re, the only terrorism pool to provide reinsurance cover for CBRN events, are investing heavily in research and modelling to fully understand not just the impact but also future frequency of these types of events. We work very closely with a range of academic institutions, including the Cambridge Centre for Risk Studies and Cranfield University, and we value very highly the ground breaking collaboration we have undertaken with them over the last 5 or so years. More still needs to be done and that’s why we are encouraged by the closer partnership we are developing with the Home Office in understanding and mitigating this strategic risk.
Early evidence of climate change’s aggravating impact on terrorism has started to emerge. Do you see this as an important area for research and development?
Absolutely. Climate change is now very much on the political agenda as seen at last year’s COP 26 and in the PRA’s Climate Change Adaptation report 2021. Back in 2019 we commissioned Professor Andrew Silke, at Cranfield University, to undertake some research in this area: Horizon Scanning the Terrorism Threat. In his paper, Andrew identified climate change as one of the three macro-drivers of terrorism and that most states are increasingly recognising it as a growing strategic security concern. More recently, we have teamed up with START, at the University of Maryland, to look more closely at how climate change is becoming one of the key drivers of terrorism. This work will be one of the principle discussion topics at the International Federation of Terrorism Reinsurance Pools (IFTRIP) conference in Washington this May.
What did you mean when you wrote we should be ‘threat actor agnostic’ when devising risk management and resilience strategies?
When I talk of the need to be threat actor agnostic I mean that security professionals and risk managers should not be fixated on whether a perpetrator is an Islamist extremist, right/left wing terrorist or a serious, organised criminal as well-designed, planned and resourced risk management plans will prevent and protect against the vast majority of attackers, regardless of their ideology and motivations. This is particularly the case in the cyber domain where, for example, the adoption of NCSC 10 Steps to Cyber Security will prevent all but the most sophisticated attacker from breaching your IT system.
Improved awareness and better training are perhaps the best tools for deterring any attack or at least mitigating the impact. It’s how you prepare and respond that will limit the severity of an attack, enable a speedy recovery and improve long term resilience to a broad array of risks.
In the report, you mention a need for greater collaboration between public and private sectors. Why is this important and what might this look like in practice?
This is now so important especially as the threat continues to rapidly evolve and we need to keep up, innovate, overhaul old structures, technological advancement and be more agile in our collective responses to the threat. The CT Police and government do not have sufficient resources, and as acknowledged recently by the Head of MI6, the skills and experiences to keep up with all the emerging technologies. We need to think, act and respond differently to the full spectrum of terrorist threats.
To achieve this, business, academia and government need to work together in a genuine partnership and collaboration. This needs to be underpinned by a cross sector and inter-disciplinary response from all sectors of society, building a ‘community of responsibility’ where businesses and sector groups come together to build on awareness and resilience. A good example of this is the partnership, known as the ‘CT Alliance’, between the Homeland Security Group, CT Police and Pool Re and the development of an information sharing platform, called Protect UK, which will be launched at the Security and Policing Conference in March this year. We have also just launched a new private public research consortium with the Cambridge Centre for Risk Studies, focusing on how best to protect society from future systemic risks such as pandemics, cyber threats, geopolitical change, financial crisis and climate change.
You mention Protect Duty, what do you think the impact of this legislation will be on businesses and the insurance industry?
As I wrote in the Review, Protect Duty will be the single biggest change to the terrorism risk landscape for a generation and will impact over half a million businesses, most of whom have never formally considered the risk of terrorism on their businesses, employees and customers. Over 2,700 businesses responded to the government’s consultation on the proposed Duty which demonstrates the high level of interest and concern by owners and operators of Publicly Accessible Locations. The impact of the legislation of the business community is likely to be as significant as the introduction of the 1974 Health and Safety and Work Act, although it is still not clear exactly what the compliance and enforcement measures will be. From an insurance perspective, business owners and operators will need to consider the impact on their terrorism liability cover for both Employers’ Liability and Public Liability.
And what role will Pool Re play?
Pool Re, through its consultancy division SOLUTIONS, has already been approached by its Members for advice on how the Duty will impact on their insureds. We have written a number of briefing notes, held webinars and stand-by to provide further guidance as detail on the legislation becomes apparent.
When it comes to terrorism, what should be on the top of every risk manager’s agenda in 2022 and beyond?
That’s a difficult but good question. There is so much for a risk manager to consider and, more importantly, prioritise in these resource challenged times. I think that from a C-Suite and Board perspective more attention needs to be paid to the identification and management of strategic tail risks as well as supply chain vulnerabilities. The bottom line question to consider is whether you have the appropriate insurance cover in place to cover the full spectrum of terrorist risks out there.
Closer to home, and certainly for the next couple of years, the focus for every risk manager, business owner and operator, should be on the forthcoming Protect Duty and how this will impact on their day to day operations and liabilities.
And finally, Ed, what would you say is the most important lesson from the last 20 years when deciding how we respond to future terrorist threats?
For me, having spent over 35 years in the counter terrorism space, as a practitioner, risk consultant and now in the terrorism reinsurance sector it has to be greater collaboration between the private and public sector and the sharing and fusing of all sources of intelligence. As Lucy D’Orsi, the former Deputy Assistant Commissioner in the Met Police, said the police and security services need to ‘dare to share’ more information and data with business and security professionals. Business is very much up for this two way exchange as its people, assets and customers are very much on the terrorist front line.