Active Shooter and Workplace Violence Response: Corporate Security Framework

Active shooter incidents and targeted workplace violence events are rare. When they occur, organisations with trained staff and tested protocols consistently achieve better outcomes than those without. The corporate security function’s responsibility is not to predict the unpredictable but to ensure that when an incident occurs, the people most likely to affect its outcome – employees on the floor, not law enforcement still minutes away – know what to do. This article sets out the frameworks, standards, and operational protocols relevant to corporate security planning.

What the Data Shows

The FBI Active Shooter Incidents Report 2023 documented 48 active shooter incidents in the United States that year. The median duration of incidents before law enforcement arrival was between 3 and 5 minutes. In approximately 25% of cases, the incident ended before police arrived – through evacuation, bystander intervention, or the attacker’s own decision to stop.

The implication for corporate security planning is direct: the window in which a trained response can affect the outcome is the first few minutes, before external response arrives. Waiting for law enforcement instruction before acting is, in a meaningful proportion of incidents, not a viable strategy. The data supports investment in staff awareness training and pre-planned protocols, not because incidents are frequent but because they move faster than reactive responses can accommodate.

In the UK, the Home Office Counter Terrorism Policing guidance and the National Counter Terrorism Security Office (NaCTSO) publish equivalent frameworks. UK incident data is lower in volume but the response principles are consistent with FBI and DHS guidance. The Terrorism (Protection of Premises) Act 2024 – commonly referred to as Martyn’s Law, after Martyn Hett who was killed in the 2017 Manchester Arena attack – introduces mandatory protection procedures and training requirements for qualifying public-facing premises.

Run-Hide-Fight: The Core Framework

The US Department of Homeland Security’s Run-Hide-Fight framework provides a three-option decision hierarchy widely adopted across corporate security programmes globally. The options are ordered by preference, not as a sequence to be followed in order.

Run: if there is a safe evacuation route, take it. Leave belongings. Move away from the building and keep moving until in a secure location away from the immediate area. Call emergency services once at a safe distance.

Hide: if evacuation is not immediately safe, move to a room that can be secured. Lock or barricade the door. Turn off lights. Silence mobile devices. Stay away from doors and windows. Communicate your location to emergency services by text if voice communication is not safe. Wait for law enforcement to clear the building.

Fight: as a last resort only, when you are directly in harm’s way and neither evacuation nor hiding is viable. Use whatever objects are available to disrupt the attacker. The goal is to create opportunity to escape, not to engage in a sustained confrontation.

The value of the framework is its simplicity under stress. When cognitive capacity is reduced by acute fear, a three-option hierarchy that people have rehearsed in training is actionable. Lengthy decision trees are not (DHS Run-Hide-Fight Guidance, 2023).

ALICE and AVERT: Structured Training Models

ALICE (Alert, Lockdown, Inform, Counter, Evacuate) builds on the same core logic as Run-Hide-Fight but adds a structured communication component. Alert emphasises the role of witnesses in immediately communicating the nature and location of the threat. Lockdown preserves shelter-in-place as a protective option. Inform means continuous communication to all occupants as the situation develops. Counter is the active disruption option – ALICE was developed partly as a critique of passive lockdown protocols that leave people static when movement might save lives. Evacuate when safe.

AVERT (Assess, Vacate, Elude, Resist, Tell) is a variant used in UK and some international corporate contexts, developed in part by UK Counter Terrorism Policing. It places individual assessment first: each person makes their own determination of the safest immediate action based on their proximity and information available. The Tell component emphasises post-incident reporting to law enforcement.

For corporate security planning, the choice of framework matters less than the consistency with which one is adopted and trained. Mixing terminology across different training sources introduces confusion. Pick one framework, train it consistently across the organisation, and test it in drills (CISA Active Shooter Preparedness, 2024).

Lockdown Procedures: What Makes Them Work

A lockdown is only as effective as the physical and procedural infrastructure behind it. This means: knowing in advance which rooms have functional locks and which do not; having clear protocols for barricading doors where locks are absent or inadequate; identifying assembly and shelter points on every floor of every facility; maintaining a communications tree that allows status updates to reach all employees quickly; and having a clear method for communicating the lockdown status to emergency services so they know which areas are clear and which are not.

Lockdown drills should test the actual infrastructure. Doors that are assumed to lock but have broken mechanisms become a critical vulnerability during an event. Rooms that appear suitable as shelter locations but have glass partitions or insufficient cover need to be removed from the plan. Testing identifies these gaps before they matter.

Facility security surveys – covered in the corporate security programme design guide – should include a specific assessment of active incident response infrastructure as a named component.

Communications During an Active Incident

Communications during an active incident require a protocol that separates different audiences. Law enforcement need to know: location of the threat, direction of movement, physical description of the attacker if known, number of potential casualties and injured, and whether any armed response is present on site including CP or security personnel.

Employees need: clear instruction on whether to evacuate, shelter, or hold position; confirmation that emergency services have been called; and updates on the situation as it develops.

The corporate crisis management communications plan – covered in more detail in the corporate crisis management guide – should include active incident communications as a specific sub-plan, not attempt to adapt a general communications template under pressure.

Post-Incident: Trauma Support and Business Continuity

Organisations that focus exclusively on the tactical response and neglect the post-incident period create a secondary set of problems. Research consistently shows that post-incident psychological support affects return-to-work rates, long-term staff retention, and litigation risk.

Critical Incident Stress Management (CISM) protocols provide a structured framework for post-incident support. These include immediate stabilisation, psychological first aid in the immediate aftermath, formal debriefing sessions, and referral pathways to specialist trauma services. CISM should be pre-contracted with a provider rather than sourced reactively – the same logic that applies to crisis PR and legal support.

Business continuity planning for an active incident should address: temporary relocation to an alternative site, evidence preservation for law enforcement investigation, communications to clients and stakeholders, and the decision framework for reopening the affected premises.

ASIS Workplace Violence Prevention and Intervention Standard

The ASIS/SHRM Workplace Violence Prevention and Intervention standard (2021) is the globally referenced benchmark for organisational response to the full spectrum of workplace violence, of which active shooter events are the most severe end. The standard defines threat assessment team structure, reporting channel design, prohibited communication policies, and response protocols.

The standard recommends a multi-disciplinary threat assessment team including HR, legal, security, and occupational health representatives. It emphasises early intervention in concerning behaviour patterns before they escalate to violence. The FBI’s threat assessment research consistently shows that targeted violence is preceded by a pathway of observable behaviours – not spontaneous. The insider threat guide covers the early-indicator detection framework in more detail.

Close Protection and Executive-Specific Protocols

For principals with assigned close protection, the operative’s response to an active incident differs from standard employee guidance. The immediate priority is evacuation of the principal by the fastest available route. The CP operative positions between the principal and the threat vector during movement. If evacuation is not immediately viable, the operative moves the principal to a lockable, defensible room and controls entry.

Engagement with the attacker is an absolute last resort – specifically, when the principal is in direct imminent danger and no other option exists. Active engagement prior to that threshold is not the CP mandate. It increases risk to the principal by drawing attention and potentially positioning the operative away from the protective role.

Coordination with responding law enforcement requires both hands visible, immediate identification as a security operative, and communication of the principal’s location. Plain-clothes operatives are at specific risk of misidentification during active shooter responses – this risk should be discussed with the CP team in advance and mitigated through clear communications protocols.

For senior executives who regularly move through high-footfall public venues – conferences, corporate events, transport hubs – the event security planning framework in the event security planning guide covers the venue-specific advance work that reduces exposure before an incident begins. For the office and workplace physical security programme that the active threat response connects to – including access control, visitor management, and lockdown infrastructure – see our corporate office and workplace security guide. For places of worship and faith community buildings – where Martyn’s Law obligations and open-access design create specific Run-Hide-Tell planning requirements – see our security planning for religious institutions guide. For a broader grounding in terrorism awareness for corporate travellers – including the ACT Awareness programme, vehicle-as-weapon response, and hotel-specific incident response – see our terrorism awareness guide for corporate travellers.

Sources

FBI Active Shooter Incidents in the United States 2023, Federal Bureau of Investigation, 2024. ASIS/SHRM Workplace Violence Prevention and Intervention standard, 2021. DHS Run-Hide-Fight Guidance, US Department of Homeland Security, 2023. CISA Active Shooter Preparedness, Cybersecurity and Infrastructure Security Agency, 2024. Terrorism (Protection of Premises) Act 2024 (Martyn’s Law), UK Parliament. Health and Safety at Work Act 1974, UK. NaCTSO Counter Terrorism Guidance for Business, National Counter Terrorism Security Office, 2024.