Changing the Game: How Dynamic Risk Strategies Are Elevating Event Security

Hilary Tuttle


April 1, 2019

event security risk management

At the 2019 NBA All-Star Weekend in February, Oklahoma City Thunder rookie Hamidou Diallo soared above Shaquille O’Neal to win the slam dunk ­competition, but he was not actually the player who got the most air—soaring even higher was an even newer player: a tethered drone. Hovering near the Spectrum Center arena in Charlotte, North Carolina, this was the face of a different contest being played that weekend as risk management and event operations professionals increasingly leverage advanced technology to help elevate event risk management at sporting events, concerts and music festivals.

We’ve explored the use of drones, just to get a higher angle to identify potential threats,” said Anshell Boggs, vice president and head of risk management for the National Basketball Association. Tethered drones like the one deployed by the NBA boost video surveillance capabilities by moving vertically to offer a broader perspective of an area, but are restricted in lateral movement to reduce safety concerns. “We don’t use free-flying drones because it creates FAA issues, but we’re looking at utilizing whatever technology is available to be proactive.”

Drones are just one of the wide range of tools being adopted by the NBA and a wide range of organizations increasingly interested in pursuing more innovative ways to proactively monitor and mitigate risk in an ever-evolving threat landscape. But this only scratches the surface of the new applications for the technology being deployed. For example, when Taylor Swift played a concert at the Rose Bowl last year, concert security measures included the use of facial recognition technology that analyzed attendees’ faces against a database of her known stalkers. According to Peter Williams, global product lead of live entertainment at Allianz, some event security teams are also using heat-detecting cameras to identify any build-up of people and send staff to break up crowds or prevent congestion around stairways or escalators, reducing the risk of individuals being slowed or injured in the event of an emergency. For events that occupy temporary or changing locations, like a parade or music festival, security teams frequently deploy supplemental surveillance cameras attached to movable poles.

Police now often monitor cellphone traffic at festivals “to pick up chatter, whether it’s from a lone gunman or just kids having fun and deciding to do something stupid,” Williams said. In addition to potential acts of violence or terrorism, authorities “monitor for things like flash mobs because the kids to love to invite everybody to suddenly rush the stage or rush some other part of the festival for fun,” he explained. In crowds of tens of thousands, this helps security identify such groups early and disperse the crowd before anything happens.

All these tools show promise for improving event security, but drawbacks remain, especially in terms of scale and accuracy. While facial recognition is being used to verify identities at airports to speed the security process and reduce the need for tickets, for example, the technology still needs to mature significantly to scale up from 300 people for a flight to 30,000 at a concert. Further, for facial recognition to work at all, authorities must know what a specific bad actor looks like.

Nevertheless, Williams said, entertainment promoters and venue operators are tremendously interested in the potential of many such tools since providing adequate security at large-scale events has become increasingly time-consuming and resource-intensive. Indeed, one of the biggest concerns for event professionals today is how to incorporate heightened security measures without detracting from the attendee experience. As security concerns and expectations increase, there can be “a compromise between getting people in and getting them in safely,” Williams said. For a crowd of tens of thousands, x-ray screening, metal detectors, and bag inspections can cost tremendous amounts of both time and money, and “no one wants to go to a concert three hours before the band starts playing just because you’ve got to go through security.”

Evolving Security Expectations

In recent years, achieving this balance between security and attendee experience has proven tricky as threats evolve and security best practices change. Before the Boston marathon bombing in 2013, the security risks around live events seemed more confined to higher-profile events—the Macy’s Thanksgiving Day Parade, the Super Bowl, or Times Square on New Year’s Eve, Williams said. But as terrorism has shifted toward more lone-wolf attacks or attempts to sow discord by attacking smaller, softer targets, the calculus around event risk management has changed with the broadening threat.

“It has definitely ratcheted up our thinking—what we saw perhaps as a soft target before has now become a harder target,” he said. “In America, we haven’t yet seen what’s happening in Europe where relatively small events have been attacked, but I do think, even here, there has been a change of perception that any large gathering potentially is a target.”

Technological tools are supplementing lower-tech and more fundamental event security practices, which remain a critical part of event risk management. The strategy and scale at which they are deployed has changed, however, as security best practices and expectations have evolved. Drawing upon lessons from the Boston bombing and the use of trucks to attack crowds in London and the south of France, some of the most common safety provisions include searching individuals carrying heavy backpacks, using concrete barriers to prevent vehicles from driving into crowds, and installing either permanent or temporary security cameras along key routes. Some venues, Williams reported, even have people empty their belongings into clear plastic bags so that the items are always visible.

Insurers have also become more active in establishing and enforcing more rigorous safety provisions and best practices, not necessarily to decrease premiums, but as a reflection of a higher baseline of security expectations. “Now, we expect the promoter who is putting on a state of the art event to be up to speed with all these latest issues,” Williams said. “A few years ago, it was rare to go through a metal detector and you might go through a bag search to go into an event. Now, it’s rare that you don’t have a bag inspection or go through a metal detector. That hasn’t brought down the cost of the insurance—it’s what we expect a good promoter or good insured to have in place at their event. When they don’t have good security, that’s when it’s detrimental to the insurance. You’ve raised the bar as to what is expected in the event space going forward.”

Elevating Risk Management Fundamentals

As with any risk, technological advancements alone are certainly not enough—indeed, underpinning it all, fundamental risk management strategies and procedures are more critical than ever. Event organizers and risk management professionals are rising to the challenge, pushing event risk management to meet these pressing demands.

For many keystone events in the sports world, particularly those with pre-selected locations like the Super Bowl or the NBA All-Star Weekend, leagues begin detailed, site-specific preparations far in advance and make use of the lead-time to develop incredibly robust operational plans and emergency provisions for any scenario that may unfold. Boggs noted that the NBA focuses on proactively engaging and coordinating with numerous federal, state and local law enforcement agencies and security vendors. “Under the leadership of our internal security department, all of those agencies are tapped as resources to get a good understanding of the jurisdiction that we’re in, and then we’re also able to leverage the monitoring mechanisms that they have in place to proactively identify and prevent risk,” he said.

The league has found these local advance efforts extremely helpful in mitigating risk efficiently, allowing them to make the most of existing law enforcement resources in the area and build a rapport with the local stakeholders who may be impacted. Additionally, with the assistance of its insurance and broker partners, the risk management team is able to complete several walkthroughs of key venues to proactively identify potential issues and risks.

As part of this preparation process, in the month or so before the big day, the NBA runs detailed tabletop exercises with a range of internal and external stakeholders, including risk management, legal, security, basketball operations, HR, IT, local police and fire departments, and other law enforcement. In preparation for this year’s All-Star Weekend, for example, the league also worked closely with the Charlotte Regional Visitors Authority (CRVA), the mayor’s office, and Hornets Sports & Entertainment, the local home team’s hospitality and event planning group.

“For our larger events, we’ve increased the use of tabletop exercises that include all stakeholders as a way of practicing and executing our risk management and public safety/security/risk management controls and trying to make sure that everyone is aware of what resources are available or how a particular situation would play out,” Boggs said. His team also takes this proactive engagement approach “to involve stakeholders as early as possible to make sure that we have appropriate insurance coverages and risk management solutions in place to protect fans and all stakeholders.” The use of insurance solutions for risk transfer, such as the procurement of event cancellation coverage, inclusion of contract terms with solid insurance and indemnification terms, and securing related certificates of insurance, is also vital to the risk management plan.

To address specific emergency scenarios, participants delve into the details of their planned response to review, for example, what to do in the event of a medical emergency, how to get people out of an arena or venue, what transportation will be on hand, and how many people can be directed to specific medical facilities in the area. Indeed, the league even does pre-engagements with local hospitals and medical facilities to understand their capacity and capabilities and ensure there will be adequate staffing and resources available.

“One of the things that we’ve done that, I think, makes a big difference is establishing a rapport with local medical facilities that might be tapped in the event of a large incident—we go in and just let them know, and we’re making sure that they’re prepared for it if, say, 50 or 100 or more people need to come,” Boggs said. “It helps just making sure that’s in place versus kind of giving them a surprise and not having any of the advance things done.”

The NBA is also increasingly focused on potential cyber-related threats, and included a separate scenario specifically focused on cyberrisk-related issues in this year’s lineup of tabletop exercises. One such scenario could involve escalation of online threats from angry fans or more sinister actors. Monitoring social media platforms for threats against specific players or events plays a key part in managing both talent and event risk. If a disgruntled fan, for example, tweets about wanting to bring something dangerous to a game or that they are unhappy with a particular player and are talking about rushing the court, the league can alert a global command center that can then escalate the situation as necessary by triggering the NBA crisis management team, involving law enforcement, sending additional security to certain areas at the venue to fortify against the risk, or even attempting to locate the fan on-site.

New Cyberrisk Exposures

As with any technology, while new tools are constantly being rolled out to improve safety and security efforts, they also introduce new risks. Consider, for example, the increasingly common decision to go cashless. Many standalone businesses have shifted to exclusively using wireless payment technology for point-of-sale transactions, and according to Williams, many event organizers are starting to go cashless as well. In addition to mobile credit card readers, some are issuing wristbands programmed to charge the attendee automatically. Potentially familiar to visitors of large theme parks, these smart bands are particularly promising in settings like multi-day music festivals.

Customer transactions on-site are one of the top revenue drivers at any live event, from merchandise sales to food and beverage purchases. Accepting cash increasingly presents a risk that technology can readily reduce, easing not only the logistics of conducting transactions, but also eliminating the risks of having to physically hold, store and transport large sums of cash. At large music festivals, for example, 40,000 attendees can spend $200 to $300 a day with vendors dispersed over an expansive physical property. The transition to cashless systems not only encourages customers to spend by easing every transaction and speeding them up, but also reducing the risk of robbery or employee theft.

While such technology mitigates some risks, however, it can also introduce others. Eliminating the physical risks of processing and storing cash creates a dependence on the technology needed to accept alternative forms of payment, meaning that technical problems with credit card readers, payment processing services, or internet connectivity could cripple merchandise and concession sales.

Particularly with high-profile events, security teams  increasingly often find themselves under siege from a barrage of cyberattacks. “We worked quite closely at the time with the risk management of the London Olympic Games and they were under attack constantly, with some people trying to mess with the ticket machines, other people trying to mess with scoreboard, and other people trying to make more serious threats of a cyber-terrorist nature,” Williams said.

Attacks on ticketing systems, like the one that disrupted the 2018 Winter Olympics opening ceremony in Pyeongchang, South Korea, can prevent people in the audience from being admitted and can create chaos behind the scenes. But attacks on ticketing and other operations systems pose a risk that event organizers and insurers are not yet entirely sure how to best mitigate. As electronic operations systems proliferate among a broad range of events, many organizations may find themselves exposed to similar threats, and since most of these incidents have not yet crossed the threshold into causing a physical loss, standard insurance options may not sufficiently mitigate such risks. As a result, insurers will need to develop new products to meet buyers’ evolving needs.

“If somebody hacks into your payment system and stops you from taking credit cards or electronic wristband transactions, the concert goes on, so a traditional insurance policy doesn’t pay in those circumstances because it hasn’t been canceled—you just can’t sell any of your merchandise,” Williams explained. “So we’re looking at a kind of a hybrid cyber/loss of income policy arising from a cyberattack. And I think this is what you’re going to see in the future as more and more of these point-of-sale systems present a target.”

Hilary Tuttle is managing editor of Risk Management.