Scroll to top
Request Consultation
Active Shooter and Workplace Violence Response: What Organisations Need

Security Intelligence

Active Shooter and Workplace Violence Response: What Organisations Need

Practical guidance on active shooter and workplace violence preparedness for organisations. Covers threat assessment, response protocols, training, lockdown procedures,.

Marcus Webb, Security Operations Adviser 1 March 2026 2 min read

Active attacker incidents at workplaces, schools, and public venues have become a defining security challenge for organisations globally. While the probability of any specific organisation experiencing an attack remains low, the consequences when they occur are severe and the expectation from staff, regulators, and insurers is that organisations have prepared.

This article addresses what organisations need to have in place: not a comprehensive emergency management manual, but the core requirements.

The Threat Landscape

Active attacker incidents in the UK and internationally have demonstrated several patterns relevant to preparedness:

Lone actors are the primary model. Most attacks are carried out by lone individuals rather than coordinated groups. This affects the preparedness approach: defending against a lone actor with a knife or vehicle requires different protocols from defending against a coordinated armed team.

Warning signs frequently exist. Retrospective analysis of active attacker cases shows that concerning behaviour was observed by colleagues or acquaintances before attacks in a significant proportion of cases. Behavioural threat assessment and reporting mechanisms are therefore prevention mechanisms, not just response mechanisms.

Speed is the critical variable. The first minutes of an active attacker incident determine outcomes. Physical security measures that slow an attacker, communication systems that alert occupants immediately, and trained staff who initiate response protocols without waiting for direction all reduce harm.

The Three Preparedness Components

Prevention. Threat assessment processes to identify individuals of concern before they act. This requires a reporting mechanism (how do staff report concerns?), an assessment process (who evaluates reports?), and intervention capability (what happens when a concern is substantiated?). Prevention is the most cost-effective investment: it avoids the incident rather than managing its consequences.

Response protocols. Clear, trained response protocols for the incident itself. Who calls emergency services, what does the lockdown procedure involve, what is the communication cascade to staff and visitors? These protocols must be documented, trained, and rehearsed.

Physical security. Access control at entry points, CCTV, and physical barriers that delay attacker entry. In higher-risk environments (financial institutions, government facilities, schools), trained security personnel at controlled entry points provide both deterrence and first response capability.

Post-Incident Response

Organisations should plan for the post-incident phase:

  • Staff psychological support and trauma response
  • Business continuity (when and how does the facility reopen?)
  • Communication with staff, families, and stakeholders
  • Cooperation with emergency services investigation
  • Post-incident security review

For security consultancy services including threat assessment and security programme design, contact us through our quote form.

For tailored support on the issues covered here, see our executive protection service and bodyguard hire service.

FAQ

Frequently Asked Questions

Run-Hide-Fight (or Alert-Lockdown-Inform-Counter-Evacuate in some frameworks) remains the foundational guidance for individuals in an active attacker scenario. Run when there is a clear escape route; hide and secure the area when running is not possible; fight as an absolute last resort when life is in immediate danger. The core principle, that passive compliance with an attacker is not always the safest option, remains current.

Training should be practical rather than theoretical. Tabletop exercises for leadership teams, physical evacuation drills, and awareness training for all staff on recognising pre-attack indicators and immediate response protocols. Annual refreshers are appropriate for most organisations. For higher-risk environments (schools, healthcare, government buildings, financial institutions) more frequent and more detailed training is appropriate.

The most effective measures are those that delay and deter entry. Access control that prevents unscreened individuals from entering occupied areas is the primary countermeasure. CCTV provides intelligence but not prevention. Trained security personnel at entry points provide both deterrence and early detection. Physical barriers that slow an attacker give occupants time to initiate response protocols.

Many workplace attackers display observable behaviours beforehand, including escalating grievances, threats, fixation on a target, and a marked change in conduct. Structured threat-assessment processes and a culture where staff report concerns are more effective than relying on physical measures alone. Source: FBI workplace violence and pre-attack behaviour studies.

Recovery planning is part of a credible response. This includes immediate access to trauma-informed mental health support, clear communication to staff, and a structured return-to-work process. Organisations that plan only for the incident itself, and not the aftermath, tend to mishandle the weeks that follow.
Get in Touch

Request a Consultation

Describe your security requirements below. All enquiries are confidential and handled by licensed consultants.

Confidential. Your details are never shared with third parties.