The most important component is that someone in authority understands why this matters to the organization and that it's not simply a question of how to prevent an occasional mass murder of this sort—that the value of a good workplace violence program is to save the company wear and tear and money every single day. It takes a long time and many, many errors before someone reaches the stage of making overt threats. Today a lot of companies have something to handle threats when they emerge, but that's too late because it's more expensive and actually riskier once a threat has emerged. On the average, the cases we deal with that reach the threat stage should have been recognized seven years earlier as problem employees who should have been separated.
Proactive vs. Reactive. The argument goes on in many departments when it comes to budgeting for preparedness vs. response. How do you detect the next employee "Gone Postal" as they say? What is the early warning indicator that tell you that you need to train employees on the detection of "abnormal behavior" or out of context business transactions?
If we are to continue the path of handling disruptions in business and emergencies with personnel with the idea of mitigating the risk post incident, then increase the number in the budget for the line items under outside counsel, litigation and insurance. However, the idea that a corresponding increase in the line items in the budget under the heading compliance, security and training will decrease risks prior to an incident is prudent thinking.
In the battle for finite dollars to be spent across the enterprise in all categories that have significant risks, there will always be an argument on where the investment of resources will have the biggest payoff or return on investment. Yet, how will you ever know whether this is the year of the earthquake, the tornado or the employee who becomes hostile or potentially lethal? The point is, you will never know, for certain.
This is why an investment in enterprise risk management dialogue requires that every department and each process factor in additional costs for mitigating risks. Each person who is closest to the work being done knows where the greatest potential is for a loss event. The place that is most vulnerable. Just ask the HR specialist what employee they have hired over the past year represents the most lethal threat to the company. Just ask the IT Security Engineer what system or application is on the verge of a melt down and they can tell you. Or just ask the executive who they think the middle manager is that is getting ready to move to the competition with all the latest R & D secrets. They can tell you.
Being proactive in managing operational risks sometimes means that you have to ask your employees risk related questions on a continuous basis. You have to document and collect the answers and feedback so that you can detect trends in behavior or potential eruptions in behavior. Finally, you need to figure out how to do all of this using new tools and processes to protect privacy and anonymity. Get started!