INSTRUCTIONS

SRM ASSESSMENT PACK - INSTRUCTIONSPURPOSE:The SRM Assessment Pack is used to complete the country threat assessment and site specific risk assessments. The SRM Assessment Pack should be updated in alignment with the Business Risk Management process (every six months). It should also be updated in the event of significant business change or significant change in t he threat environment.Before completing the consequent sheets you should:- Read the SRM Manual. This is important as the Manual provides context and explains the purpose of the different stages of this methodology.- Consider where you would look for information and indicators regarding the threat environment (internal resources such as incident reports, external sources such as crime & corruption statistics)- Think about which internal functions you should engage with and who (or what forum) will be a decision making 'Approving Authority' - Consider printing the reference documents (Threat Severity Matrix and Description of Threats Table) for ease of use when completing this SRM Assessment Pack.

On completion, findings from the SRM Assessment Pack are to be used to complete the SRM Briefing Pack for reporting purposes. You may wish to draft the Country Threat Summary (in the SRM Briefing Pack) on completion of the Country Threat Assessment in this workbook (Step 3) while the threat information is fresh in your mind.

Overwrite all red text in this workbook.

Step 1Complete the SRM CYCLE PLAN to prioritise the order in which sites will be risk assessedStep 2Using all sources and agencies available to you, collate and assess all threat information and insert in the SANDA NOTES sheet Step 3Complete the COUNTRY THREAT ASSESSMENT based on SANDA:- Fill in the table insert Threat Actors, Credible Threat Events, Intent, Capability and History against each threat that is relevant to your country- Assign a threat rating to each threat, referring to the Threat Severity MatrixStep 4Complete a separate SITE RISK ASSESSMENT for each site: - Specify the name of the site on the title of the sheet (e.g. Nairobi Office Risk Assessment or Bayreuth Factory Risk Assessment)- Review the site threat ratings considering whether the threats at the site are different to the country level threats as detailed in the COUNTRY THREAT ASSESSMENT- Conduct a SECURITY SURVEY and assess the vulnerabilities of the site. Use the appropriate security survey template from the SRM Interact site- Go through the survey and insert the vulnerabilities identified in the SITE RISK ASSESSMENT against the relevant threat that the vulnerability relates to. e.g. lack of anti shatter film on windows is relevant to Terrorism- Assess the Likelihood, Impact and Risk ratings for the site (see Matrices in the Manual)- Recommend a risk response option (refer to para 4.5 of the Manual)Step 5Complete the RISK MITIGATION TABLE and ACTION PLAN for each site with recommendations and specific measures/ controls to be implemented to manage relevant risks.Step 6Complete as many SITE RISK ASSESSMENTS as required (1 for each site) by duplicating and filling in new SITE RISK ASSESSMENT sheets.

SRM Cycle plan CANADA SRM CYCLE PLAN INSTRUCTIONS: List all BAT sites related to this country including head office, factories, warehouses , distribution centres and any other (such as residences, key hotels) in column B Fill in site address/location in column C Specify whether the site is BAT or 3rd party managed in column D Decide whether the risk assessment of this site will be done by Security Manager or it will be a self-assessment (e.g. if the site is managed by 3rd party). Insert decision in column E. Consider whether the risk assessment of this site will be a high priority (1), a medium priority (2) or a low priority (3) in column G. Specify the relevant considerations in column F. Considerations to include criticality of the site (potential value of the site/equipment/goods stored, number of employees, critical business processes, volumes of confidential information etc.) and whether the site may be a higher priority due to the threat environment and estimated risks at that site. Agree prioritisation and frequency of risk assessments with appropriate authority. Suggested frequency is as follows: a high priority site (red) will be assessed at least once per year, a medium priority site (yellow) will be assessed every 2-3 years and a low priority site (green) will be assessed every 4-5 years. Record agreed frequency in column H Insert the date of the last risk assessment in column H (or N/A if never done before/no info) insert the agreed date for the next risk assessment in column J.COUNTRY SITESADDRESS/ LOCATION BAT / 3RD PARTY MANAGED
Nicola Huxley: If it is a 3rd party site we may not have clear jurisdiction, e.g. a distributor's warehouseRISK ASSESSMENT TO BE COMPLETED BY
Nicola Huxley: State Security Manager or other as applicablePRIORITY CONSIDERATIONS(add comments)
Author: Considerations to include criticality of the site (potential value of the site/equipment/goods stored, number of employees, critical business processes, volumes of confidential information etc.) and initial risk estimation PRIORITY
Author: Based on the priority considerations provided. Discussed and agreed with associated GM/Leadership Team AGREED FREQUENCY OF RA
Author: Based on the priority considerations provided. Discussed and agreed with associated GM/Leadership Team DATE OF LAST RA DATE OF NEXT RA OFFICESOffice1FACTORIESFactory 1Factory 2WAREHOUSESWarehouse 1Warehouse 2DISTRIBUTION CENTRESDistribution Centre 1Distribution Centre 2Distribution Centre 3OTHER (consider residences, hotels, etc)Specify 1Specify 2Specify 3Specify 4

SANDA Notes CANADA COUNTRY SANDA NOTESINSTRUCTIONS: Refer to page .... of the SRM Manual for more information on SandA Notes The SandA Notes table should be used to help you to record, collate and then assess the threat information available to you from a variety of different sources and agencies. This information may be derived from a service providers website (e.g. Exclusive Analysis (EA)) or from a conversation held with a credible source of information such as a Security Manager of another organisation, or a Chief of Police, or a Security Manager at a local Embassy. You may wish to include the threat rating provided by a service provider (e.g. EA may consider terrorism to be a 3 in your country) but be careful if comparing this rating with those of other service providers, as the criteria for their ratings may vary. They may also vary from the BAT definition provided in the Threat Definition Table (see para of the SRM Manual). The SandA Notes table is designed to be your own internal working document; a central repository for your notes on the different threats. Used effectively it will become a great source of information for you to make your assessments. INSTRUCTIONS: Insert country title on the top of the sheet Collate the information in the table below. Add your comments and notes to keep these distinct from the source information, use COMMENT and COMMENT ENDS. Create additional rows as necessary Then use this assessed information to complete the Threat Assessment tab.

DATE OF REPORTING
Maria Davydenko: Incert the date the information was reportedREFERENCE/ SOURCE/ AGENCY
Maria Davydenko: Specify the SANDA source used e.g. EA, Control Risk, News, Police etc. THREAT INFORMATION
Maria Davydenko: Insert information obtained from the source associated with the relevant threat. Add comments/remarks as necessary. CRIMINAL THREATS TO PEOPLEPolice -reported CCrime Severity Index 81.4 - 2012Kidnap

Murder

Assault/ Robbery

Extortion

CRIMINAL THREATS TO ASSETSFraud

Theft - by employees

Theft - by non-employees

Burglary

Armed robbery & hijack

Malicious damage / sabotage

Arson

THREATS TO INFORMATIONMalicious theft

Malicious disclosure of info

Malicious manipulation of info

Unintentional disclosure of info

Accidental manipulation of info

TERRORISMDirect attack against BAT/comparable organisation

Indirect attack affecting BAT

GEO-POLITICAL TENSIONSGovernment / Regime stability

Harassment / Detention by authorities

Regional tensions

SOCIAL INSTABILITYCivil Unrest

Social activism

Religious issues

MILITARY ACTIONCivil War

Military Action/Unrest

Insurgent Activity/ Guerilla Warfare

ENVIRONMENTALWild Fire (not arson)

Flood

Natural Disaster-specify

Pandemic

TRAVELAirlines

Road Traffic Accidents

Infrastructure

Anti-foreigner sentiment

Country Threat Assessment

CANADA THREAT ASSESSMENT as at 18 March 2014HIGHMEDIUMLOWINSIGNIFICANTINSTRUCTIONS:Refer to the Threat Definition Table (in the Manual) for detailed explanation of the threats and for examples of credible risk events.Complete the details (columns D-H) for each threat category (e.g. Terrorism) and each sub-threat (e.g, Direct Attack) that is relevant to your country. Refer to your SandA Notes to help you complete this. You must enter a narrative in each cell. Insert N/A if it is Not Applicable.Insert Threat Actors in column D. Define credible risk events in column E. Specify the Intent and the Capability of the Threat Actor/s in columns F & G (remembering that both need to be present to pose a threat). Fill in History in column H any past occurrences of the threat materialising (either related to BAT, a comparable organisation or in the country (specify which)). History can be used to substantiate Intent and Capability and provide background information on the nature of such an attack, which can inform control measures later. Refer to the Threat Matrix (in the Manual) to assess whether the sub-threat is HIGH (red), MEDIUM (yellow), LOW (green) or INSIGNIFICANT (default grey) and insert Rating in column K.The overall threat rating for the threat category is to be assigned by Security Manager taking into account the ratings of the sub-threats assessed and using own judgement with regards to severity and weight of each sub-threat. This is a judgement, but if in doubt should be based on the highest threat rating of all the sub-threats. e.g. if the threat for Kidnap is assessed to be HIGH (red) but all the other subthreats in the 'Criminal Threats to People' threat category are LOW (green), the overall threat rating for 'Criminal Threats to People' is HIGHEnsure that you are only considering the pure threat - as if there are no mitigating measures in place. When you have completed this tab, complete the Country Threat Summary (in SRM Briefing Pack).No.THREAT CATEGORIES & SUB THREATS
Maria Davydenko: All Threats & Sub-Threats are pre-definedTHREAT ACTOR
Maria Davydenko: who may pose the threatCREDIBLE RISK EVENT
Maria Davydenko: Detail events that realistically could occur at your locationINTENT
Maria Davydenko: motive or context which could lead the threat actor to act in a way which could cause threat event to occurCAPABILITY
Maria Davydenko: assessment of the ability of the threat actor to carry out the threat eventHISTORY
Maria Davydenko: relevant examples or indicators of the threat occurring previouslyThreat Rating
Nicola Huxley: Refer to Threat Severity Matrix

1CRIMINAL THREATS TO PEOPLENot relevant to people, only assets.ERROR:#REF!1.01.1KidnapInsignificant1.2Murder1.01.3Assault/ Robbery1.01.4ExtortionInsignificant2CRIMINAL THREATS TO ASSETS2.02.1Fraud 1.02.2Theft - by employees1.02.3Theft - by non-employees 2.02.4Burglary2.02.5Armed robbery & hijack1.02.6Malicious damage / sabotageInsignificant2.7ArsonInsignificant3THREATS TO INFORMATION3.1Malicious theftInsignificant3.2Malicious disclosure of infoInsignificant3.3Malicious manipulation of infoInsignificant3.4Unintentional disclosure of infoInsignificant3.5Accidental manipulation of infoInsignificant4TERRORISM4.1Direct attack against BAT/ comparable organisationInsignificant4.2Indirect attack affecting BAT1.05GEO-POLITICAL TENSIONS Insignificant5.1Government / Regime stabilityInsignificant5.2Harassment / Detention by authoritiesInsignificant5.3Regional tensionsInsignificant6SOCIAL INSTABILITYInsignificant6.1Civil UnrestInsignificant6.2Social activismInsignificant6.3Religious issuesInsignificant7MILITARY ACTIONInsignificant7.1Civil WarInsignificant7.2Military Action/UnrestInsignificant7.3Insurgent Activity/Guerilla WarfareInsignificant8ENVIRONMENTALInsignificant8.1Wild Fire (not arson)Insignificant8.2FloodInsignificant8.3Other natural disasterInsignificant8.4PandemicInsignificant9TRAVELInsignificant9.1AirlinesInsignificant9.2Road Traffic AccidentsInsignificant9.3InfrastructureInsignificant9.4Anti-foreigner sentimentInsignificant

BAT Security Security Business Risk Assessment

&FPage &P of &N

Risk Assessment HEAD OFFICE RISK ASSESSMENT as at 18 March 2014HIGHMEDIUMLOWINSIGNIFICANTINSTRUCTIONSCreate further copies of this tab for each site that is to be risk assessed. e.g Lagos Head Office Risk Assessment, Ibadan Factory Risk Assessment, etcThe Country Threat Level for each threat & sub threat that was determined in the Country Threat Assessment tab (previous step) will autofill into column C. Assess any local conditions at the site which may result in a different threat level. e.g the Nigeria threat rating for kidnap may be High but in Abuja it is Medium. Insert relevant comments (why rating is different) in column D & record the Site Threat Rating in column E. It is this revised rating that is used to assess the risk rating.If the sub-threat is assessed to be INSIGNIFICANT, do not carry out further risk assessment on this particular sub-threat All key vulnerabilities identified should be inserted into Column F. To complete the Vulnerabilities column, the Security Manager needs to judge which threat each vulnerability applies to, for example, a vulnerability such as site close to political party office is relevant to Civil Unrest, whereas 'no vehicle access control on front gate would apply instead to 'Terrorism'. It is important to group vulnerabilities with each potential threat/sub threat to assess the extent to which the business is exposed. Then assign a Vulnerability Rating to each vulnerability or group of vulnerabilities. Refer to the Vulnerability Matrix in the SRM Manual. Insert Rating in column G.The 'Likelihood' of a risk event is determined by comparing threats against vulnerabilities. Use the Likelihood Matrix to determine Likelihood rating and insert in column H.The Impact of an event is an expected amount of loss or damage from a successful attack. Use reference tables from Group Risk Management Manual to determine Impact rating and insert in column I.The risk rating is calculated by mapping the likelihood rating against the impact rating. Refer to the Risk Matrix, known as the HEAT Map, to assign Risk rating in column J.Then insert an agreed (discuss further as necessary) Risk Response Approach (Treat, Tolerate, Transfer, Terminate) in Column K * The overall risk rating for the category should be assigned by the Security Manager taking into account the ratings of the sub-threats assessed and using own judgement. THREATVULNERABILITYLIKELIHOODIMPACTRISK RATINGTHREAT CATEGORIES & SUB THREATS
Nicola Huxley: All Threats & Sub-Threats are pre-defined & are carried over from the 'Threat Assessment' tabCOUNTRY THREAT RATING
Nicola Huxley: This 'Country Threat Rating' is carried over from the 'Threat Assessment' tabSITE SPECIFIC CONSIDERATIONS
Nicola Huxley: Is the threat at this site different to the country threat assessment? Insert any threat information specific to this site/location that may result in a different 'Site Threat Rating'Highlight any specific considerations (location of site, specific crime issues etc)SITE THREAT RATING
Nicola Huxley: Re-consider the Country Threat Rating in column B, re-assessing the threat at this particular site/locationChange from country level if requiredVULNERABILITIES identified in surveyVULNERABILITY RATING
Maria Davydenko: Refer to Vulnerability TableLIKELIHOOD RATING
Maria Davydenko: Refer to Likelihood MatrixIMPACT RATING
Maria Davydenko: Expected amount of loss or damage from a successful attack is rated using the criteria in the Impact MatrixRISK RATING
Maria Davydenko: Refer to Risk matrixRISK RESPONSE OPTION
Maria Davydenko: Note approved optionCRIMINAL THREATS TO PEOPLEKidnapInsignificantInsignificantMurder1.0InsignificantAssault / Robbery1.01.03.02.02.02.0Treat2.01.03.02.0TolerateExtortionInsignificant1.0CRIMINAL THREATS TO ASSETS2.0Fraud 1.01.0Theft - by employees1.01.02.01.01.01.0TreatTheft - by non-employees 2.01.03.02.01.01.0Treat2.01.02.01.0TolerateBurglary2.01.03.02.01.01.0TreatArmed robbery & hijack1.01.02.01.02.01.0TolerateMalicious damage / sabotageInsignificantInsignificantArsonInsignificantInsignificantTHREATS TO INFORMATION 0Malicious theftInsignificant1.03.02.01.01.0TreatMalicious disclosure of infoInsignificant1.0Malicious manipulation of infoInsignificant1.0Unintentional disclosure of infoInsignificant1.02.01.02.01.0TreatAccidental manipulation of infoInsignificant1.0TERRORISM0Direct attack against BAT/ comparable organisationInsignificantInsignificantNon direct attack affecting BAT1.01.01.01.01.01.0TolerateGEO-POLITICAL TENSIONSInsignificantGovernment / Regime stabilityInsignificantInsignificantHarassment / Detention by authoritiesInsignificantInsignificantRegional tensionsInsignificantInsignificantSOCIAL INSTABILITYInsignificantCivil UnrestInsignificantInsignificantSocial activismInsignificantInsignificantReligious issuesInsignificantInsignificantMILITARY ACTIONInsignificantCivil WarInsignificantInsignificantMilitary Action/UnrestInsignificantInsignificantInsurgent Activity/Guerilla WarfareInsignificantInsignificantENVIRONMENTAL HAZARDSInsignificantFire (not arson)InsignificantInsignificantFloodInsignificant
Nicola Huxley: e.g. excessive rainfall, rise in sea levelInsignificantNatural Disaster-specifyInsignificant
Nicola Huxley: e.g. volcano, earthquake, tornadoInsignificantPandemicInsignificant
Nicola Huxley: e.g. avian flu, swine flu, SARS virusInsignificantTRAVEL HAZARDSInsignificantAirlinesInsignificant
Nicola Huxley: Specify airlines of a poor standardInsignificantRoad Traffic AccidentsInsignificantInsignificantInfrastructureInsignificantInsignificantAnti-foreigner sentimentInsignificantInsignificant

HEAD OFFICE RISK MITIGATION TABLE as at 24 March 2014INSTRUCTIONS:Insert name of site in the title.Insert recommendations to mitigate each of the threats. These should be based on the Risk Response Option selected in the table above (see column 'Recommendations').Record the Approval Decision (Approved, Rejected, Deferred).Record the Approving Authority (e.g. GM, Top Team, Legal Director etc.). Insert name/initials.Add any comments related to the approval (e.g. timescales, resource limits etc.)Once authorisation has been approved for the Complete Action Plan from the Risk Owner, an Action Plan can be developed with the recommended mitigation measures/controlsTHREAT CATEGORY
Maria Davydenko: All Threats are pre-defined RECOMMENDATIONS
Maria Davydenko: Note specific recommendations to manage riskAPPROVAL DECISION
Maria Davydenko: Note decision made (Approved, Rejected, Postponed)APPROVING AUTHORITY
Maria Davydenko: Note who made decision (GM, Leadership Team, Risk Committee etc)COMMENTS
Maria Davydenko: Note any comments relating to recommendation of approvalCRIMINAL THREATS TO PEOPLE

CRIMINAL THREATS TO ASSETS

THREATS TO INFORMATION

TERRORISM

GEO-POLITICAL TENSIONS

SOCIAL INSTABILITY

MILITARY ACTIVITY

ENVIRONMENTAL HAZARDS

TRAVEL HAZARDS

ADDITIONAL RECOMMENDATIONS
Nicola Huxley: Insert any other recommendations that do not align with a specific threat.

HEAD OFFICE ACTION PLAN (APPROVED MEASURES/CONTROLS) as at 24 March 2014INSTRUCTIONS:Insert the site title for which the action plan produced on the top of the sheet.Record the specific Mitigation Measure/Controls to be implementedRecord who is Responsible for implementing the new measure/controlNote the planned Start and Due Completion datesNote the Status ( e.g. Completed, In progress, Not Started, On hold)ITEMMITIGATION MEASURE / CONTROL
Maria Davydenko: Note the measure/control to be implementedRESPONSIBILITY
Maria Davydenko: Note who is responsible for implementing the measure/controlSTART DATE
Maria Davydenko: Note when implementation of the measure/control is to startDUE COMPLETION DATE
Maria Davydenko: Note planned completion dateSTATUS
Maria Davydenko: Note status of implementation

123

Threat Severity MatrixCONFIDENTIALTHREAT SEVERITY MATRIXUse this matrix to assess the threat rating for each sub-threat in the Country Threat Assessment tab of the SRM Assessment Pack.N/A / InsignificantLOW (1)MEDIUM (2)HIGH (3)1.0CRIMINAL THREATS TO PEOPLE1.1KidnapThreat not present (except for very rare cases) or poses no known threat to business. Minimal occurrence, not widespread or organised. No direct threat.Some incidents occur, or kidnapping by organised groups. No direct threat. Frequent instances of kidnapping, indications exist that it is organised, or direct threat.1.2MurderMinimal occurrence, not widespread or organised. No direct threat.Incidents occur - however government has strict laws and enforcement is often successfully achieved. No direct threat.Frequent incidents, criminal elements are powerful, government ability to deter or respond to incidents is very limited, or direct threat.1.3Assault/ RobberyMinimal occurrence, not widespread or organised. No direct threat.Government has strict laws and enforcement is often successfully achieved.Incidents may routinely occur. Would be more frequent if mitigating measures are not in place. Opportunist or pre-meditated attacks likely to occur. A widespread and regular occurrence, indications exist that it is organised, or direct threat. Government forces lack capability.

1.5ExtortionMinimal occurrence against comparable commercial organisations. Incidents routinely occur against comparable commercial organisations. Major/ frequent incidents, government ability to respond to incidents is very limited, or direct threat.2.0CRIMINAL THREATS TO ASSETS2.1Fraud Threat not present (except for very rare cases) or poses no known threat to business. Minimal reporting or detection. Minor incidents occur occasionally. Major incidents occur but infrequently.Numerous major incidents have occurred in the last year. Fraudulent activity occurs frequently due to institutionalised corruption and opportunity.2.2Theft - by employees2.3Theft - by non-employees 2.4BurglaryMinimal occurrence, not widespread or organised. No direct threat.Government has strict laws and enforcement is often successfully achieved.Incidents may routinely occur. Would be more frequent if mitigating measures are not in place. Opportunist or pre-meditated attacks likely to occur. A widespread and regular occurrence, indications exist that it is organised, or direct threat. Government forces lack capability.2.5Armed robbery & assault Minimal occurrence, not widespread or organised. No direct threat.Major/ frequent incidents occur - however government has strict laws and enforcement is often successfully achieved.A widespread and regular occurrence, indications exist that it is organised, or direct threat.2.6Malicious damage / sabotage2.7ArsonMinimal occurrence.Arson is often carried out by vandals or activists. No direct threat. Routinely used against commercial targets / private property, or direct threat.

3.0THREATS TO INFORMATION3.1Malicious theftREFER TO INFO SEC THREAT DEFINITIONS 3.2Malicious disclosure of info3.3Malicious manipulation of info3.4Unintentional disclosure of info3.5Accidental manipulation of info4.0TERRORISM4.1Direct attack against BAT/ comparable organisationTerrorism threat not present (except for very rare cases) or poses no known threat to business. No known interest in targeting BAT or comparable commercial organisations by extremist groups.Threats made by extremist groups against BAT or comparable commercial organisation. Extremist groups have targeted BAT or comparable commercial organisation in the past 5 years. Extremist groups are active and have carried out successful attacks in the past 2 years.4.2Non -directed attack affecting BATNational terrorism threat levels are low. Security forces are capable in detecting and controlling extremist groups. Extremist groups are active. National terrorism threat levels are at a medium level. Security forces are limited in their ability to detect and control extremist groups.Extremist groups are active and have carried out successful attacks in the past year. Security forces are clearly unable to detect and control extremist groups. Consistent danger of attack. e.g.Pakistan5.0GEO-POLITICAL TENSIONS5.1Government / Regime stabilityThe environment for business is benign. Political stability is virtually assured.Government is fairly stable, however certain groups regularly call for a change in government. Occasional violent acts against the government such as small scale protests or terrorist attacks.Media and public perception indicate that there is a likelihood that if the current situation continues, the government in power will be destabilised or overthrownExtreme likelihood of significant changes in government, outside of legally accepted means. Active and well supported opposition or secessionist movements. Recent history of large protests / anti-government violence.5.2Harassment / Detention by authoritiesThreat not present (except for very rare cases) or poses no known threat to business. Detention occurs as part of normal law enforcement proceduresStrict laws exist - however leniency is often given to foreign nationalitiesStrict laws and their enforcement occurs in country frequently - some seemingly irrelevant to foreign nationalities5.3Regional tensionsNil regional tensions, neighboring countries stable.Minor issues - open source reporting suggests a potential for heightened tensions with other countries/regions within the country. Major Issues - numerous points, policies, matters, or questions are being disputed or decidedSerious tensions with other countries/regions within the county exist that severely effects trading activity. 6.0SOCIAL INSTABILITY6.1Civil UnrestNo history or threatsProtests occur occasionally. Opposition groups are either not widely supported or effectively controlled by authorities.Active protest movement. Sporadic, small scale violent protests. Speculation of large scale protests.Major, violent, sustained protests, demonstrations, looting. Violent clashes with security forces and / or opposition groups. 6.2Social activismNo history or threatsSporadic, small scale labour strikes occur occasionally. Anti-tobacco groups exist but are not active.Labour strikes occur across the country not at a significant level and without significant business disruption. Anti-tobacco groups are active, but restrained to legal forms of protest.Recent history of strikes and industrial action, disputes with host communities, which result in demonstrations, work stoppages, vandalism or other security incidents. Anti-tobacco groups have a history of acts targetting BAT.6.3Religious issuesNo significant issuesIssues of unresolved conflict between different groups, stemming from opposing ethnic and/or religious value systems do exist, but rarely result in violence.Significant tensions exist between differing ethnic / religious groups, occasional violent acts occur as a result.Serious tensions resulting in regular religious / sectarian / ethnic motivated violence and deaths.7.0MILITARY ACTION7.1Civil WarNo history or indications of an increasing trend towards inter-country conflictTensions between factions / regions of the country do exist, but rarely result in violence. Sustained clashes between various facitons. There is speculation that a war between factions or regions of the country is developing.An outright civil war is occuring.7.2Military Action / UnrestNo history or threatTensions with neighbouring countries exist. Occasional talk of conflict in the media, but nothing more than minor incidents occur.Relations and heightened tensions exist. Preparations for war underway. Overt communications in media suggesting actions are imminent.War / Military Action7.3Insurgent Activity/Guerilla WarfareNo history or threatArmed opposition groups exist in the country but are either lacking in support effectively controlled by the security forces. Armed opposition groups are active in the country. Occasional acts of vandalism or sabotage, occasional fatalities.A sustained campaign of guerilla warfare exists, involving suicide bombings, ambushes, sniper attacks, and traditional hit and run raids.8.0ENVIRONMENTAL HAZARDS8.1Wild Fire (not arson)Relevant authorities assess that the threat is insignificant. No history of significant events. Relevant authorities assess that the threat does exist, however events in the past 5 years have either been effectively dealt with / had minimal impact.Significant events have occurred in the past 5 years, resulting in some fatalities and damage to property. Numerous large scale events occurred in the past 5 years that resulted in dozens of fatalities and wide scale damage to property.8.2Flood8.3Other Natural Disaster e.g. Tsunami, Volcano, Earthquake, Cyclone8.4PandemicInsignificant reports of pandemic type diseases. Full medical support available.Medical facilities exist, however are they would struggle to respond to a pandemic outbreak.Some medical facilities exist in larger cities, however are non-existent in urban areas. Sickness and Disease is common within country.No suitable medical facilities exist. WHO warnings in place. Widespread deaths due to treatable diseases. 9.0TRAVEL HAZARDS9.1AirlinesCategory 1 airlines available (as per Airline Insider).Only Category 2 airlines available. Only Category 3 airlines available. No acceptable airlines available for use.9.2Road Traffic AccidentsHigh standard of driving and respect for road rules. RTAs occur at a low level that does not pose a threat to business.Driving standards are reasonable, however RTAs do occur due to a mild lack of respect for road rules or lack of enforcement by police.Fatal RTAs occur frequently. Poor driving standards. However, strict road rules and laws are enforced by police. Reckless driving standards. Fatal RTAs occur daily, ineffective road rules and little or no enforcement by police. 9.3InfrastructureHigh quality and coverage of public services infrastructure (transport, communications, medical, emergency services).Good quality and coverage of public services infrastructure. However some regions still have poor / developing infrastructure. Quality and coverage of public services infrastructure varies. The majority of the country has inadequate/poor infrastructure. Medical infrastructure unreliable. Poor quality and coverage of public sector infrastructure. Completely inadequate medical infrastructure. 9.4Anti-foreigner sentimentInsignificant negative reactions to foreigners / being a Western company.Minor anti-foreigner sentiment exists, but poses low threat to expatriates/ staff travellers / business.Minor anti-foreigner sentiment exists. Foreigners are viewed with distrust. Complications / incidents arise due to employing foreigners / being a Western companyOpen and consistent rhetoric in media, from public figures, etc. Foreigners draw attention. Foreigners are viewed with hostility and occasionally targeted in criminal acts as a result.

Descriptions of Threats TableDESCRIPTIONS OF THREATS TABLENoThreatDescriptionBAT Example1CRIMINAL THREATS TO PEOPLE1.1KidnapThe capture and holding of individuals against their will, usually in false imprisonment. It is usually for ransom or political demand. Express kidnap involves abduction where a small ransom, that the company or family can easily pay, is requested. Tiger kidnap is a crime where abduction forms part of a robbery, murder or other crime. Some person of importance to the victim is held hostage as collateral until the victim has met the criminals demands.Kidnap of field force personnel or expatriate for ransom. 1.2Murder The killing of another human being under conditions specifically covered in local law.Fatal shooting of field force personnel in a robbery conducted by street gangs. Drug cartel violence leading to the deaths of bystanders.1.3Assault/RobberyAssault: a physical attack by one person or more persons upon another. Robbery: taking the property of another from his or her person or in his or her immediate presence, against his or her will, by violence or intimidation. This threat category refers to the assault or robbery targetting a person, not an asset. For assault or robbery against a vehicle including hijack see 2.4.Robbery of cash or product from a member of the field , mugging of staff on the street. An example of assault would be being punched and kicked in the process. 1.4ExtortionThreat of violence, demonstrations, work stoppage or other illegal action in order to extract concessions from BAT or its contractors. Incidents of extortion or intimidation may be directed against individual employees or the company as a whole, and may be perpetrated by labour unions, communities or ad hoc criminal groups. May involve contaminated goods and products and disruption to supply chain. Includes Blackmail (Threats to reveal true or false information about a person to the public, a family member or associates, unless a demand is met. It is a form of coercion involving threats of physical harm, threat of criminal prosecution or for the purpose of taking a victims money or other property.) Includes Intimidation (Creating an environment or conditions where people are fearful for their safety, or of participation or involvement in some activity, and the intimidator wants them to stop that involvement. Includes direct and anonymous threats to staff.)Organised crime group claiming that they will target the company unless they are paid 'protection money.'2.0CRIMINAL THREATS TO ASSETS2.1FraudAn incident where an individual within the company, a third party working for the company, or a party external to the company, illegally deceives or cheats the company in some way which results in the company being deprived of funds or assets to which it is entitled. Frauds can be perpetrated by the misuse of data, manipulation of stock records, embezzlement, etc. Examples can include false travel and expenses claims, misuse of company credit cards, supplier fraud and attempts by employees or embedded contractors to embezzle funds or other value items from BAT by abusing their position of legitimate access. Fraud is a crime and also a civil law violation. (Loss Report definition).Supplier fraud. Expenses fraud. Collusion amongst the Finance department.2.2Theft - by employeeWhen an employee of the company steals money, product or other assets from the company. (Loss Report definition).Theft of a laptop by an employee, theft of product by BAT warehouse staff. 2.3Theft - by non employeeWhen an individual, not an employee of the company steals money, product or other assets from the company. (Loss Report definition).Break in by criminals to a warehouse to steal finished goods. Theft of a container whilst being transported. 2.4BurglaryThe illicit entry into a building for the purposes of committing an offence. The offence is usually theft, but can include the assault of people. Aggravated burglary occurs when the burglar enters and at the time has a firearm or other weapon of offence.Break in to a BAT office or residence, and steal items.2.5Armed Robbery & hijackWhen an individual steals money, product or other assets from the company or contractors, with the use of a weapon to intimidate or injure. This can include hijack, i.e. taking control (or theft) of the vehicle by force or threat of violence. This sub-threat focusses on the targetting of assets, not the targetting of people (see 1.3)Hijack of a distribution van by armed criminals. 2.6Malicious Damage/SabotageWhen individuals whether they are employees or not willfully damage company product, facilities or other equipment. (Loss Report definition). Includes Vandalism (Spontaneous damage to property, intended to disrupt or to cause a loss of confidence or embarrassment) and Malicious Product Contamination.Purposeful contamination of product by a disgruntled factory employee.2.7Arson Intentionally setting fire to structures and/or property. Separate to Malicious Damage category because it is important in its own right.Warehouse being set alight by vandals. 3.0THREATS TO INFORMATION3.1Theft of InformationThe deliberate and unauthorised removal or copying of information with the intent to gain advantage and / or deprive the owner of an advantageCopying information from the Company's group drive and storing it at home as potential leverage in case of termination of employment.3.2Malicious disclosure of informationThe deliberate and unauthorised disclosure of information with the intent to cause harm to the owner e.g. reputational harm, financial loss etc.Leaking of information by a disgruntled employee to the media or an 'anti' group in order to 'get back at the Company'.3.3Malicious manipulation of informationThe deliberate and unauthorised alteration of information with the intent to cause operational disruption, financial loss or reputational harmNote it is not intended that the manipulation of data to commit fraud is covered under Information Security ThreatA disgruntled employer intentionally changing figures in a Company Plan document in an attempt to cause disruption. 3.4Accidental disclosure of informationThe unintentional disclosure of information due to human error, failure of controls, lack of control or lack of application of controls.Accidentally emailing sensitive information to someone outside of the company. 3.5Accidental manipulation of informationThe unintentional alteration of information due to human error, failure of controls, lack of control or lack of application of controlsAccidentally deleting information from the Company's group drive. 4.0TERRORISMViolent attacks against civilian targets by domestic or foreign extremists intended to influence a national or international audience. Tactics may include armed attacks, use of explosives or sabotage. The sub-headings to be considered include VBIED at BAT premises, VBIED at adjacent venues, IED carried into premises, (including by suicide bomber), IED by mail, stand-off rocket or similar attack, CBRN directed at BAT or adjacent location, attacks on public spaces, assassination of staff, contractors, guests and contamination of goods/supplies. 4.1Direct attack against BAT/ comparable organisationDirect attack is a targeted assault against a BAT asset such as premises or individuals, specifically due to anti-BAT sentiment or because BAT is classed as a Western or commercial organisation, and deemed a credible target. Also includes direct targetting of a comparable organisation such as a large, Western company or one with similar values. Consider history, frequency and severity of attacks.An attack directly targeting a BAT office or an FMCG office nearby. 4.2Indirect attack affecting BATNon directed attack is not deliberately targeting BAT assets, but still presenting incidental risk to staff, assets and business operations. BAT staff or assets may become targets of opportunity, convenience or incidental ('wrong place wrong time' concept). Consider targets in vicinity of BAT property or assets for assessment. Consider the concept of displacement of threat, whereby a hardened target may result in attacks being displaced to a softer target. An attack against an embassy near to a BAT office, with the blast damaging the surroundings including the BAT office itself. 5.0GEO-POLITICAL TENSIONSSimilar concept to political risk (except in this instance we are focusing on the security risks that arise from it). Involves state or non-state actors negatively affecting business operations in a country through regime instability or direct/indirect interference. These state actors can include domestic and foreign governments, the judiciary, parliament, and the security forces; non-state actors can include secessionist movements, insurgent groups, lobbies or union groups, organised criminal groups, ethnic and indigenous groups as well as international organisations, and other companies. 5.1Government / Regime instabilityA situation whereby a country's leadership is going through political turmoil. It may also negatively impact the country through leading to a deterioration in terms of its economic progress, and hence soci-economic conditions experienced by its population. Prospect of unstable or paralysed government due to fragility of ruling coalition, threat of a coup detat, insurgency, or disputes between branches of government. Potential for immediate and detrimental uncertainty in event of the assassination of a head of state. Propensity for regime change.Many of the countries that experienced the 'Arab Spring' went on to experience extreme government instability. 5.2Harassment / Detention by authoritiesThe unfair or unjustified seizure or forcible restraint of an individual; the taking or keeping of a person in custody by the authorities. In terms of harassment, the unfair or unjustified attempt to interrupt or interfere with the activity of an individual or business process. Detention and excessive questioning of expatriate personnel at airports, because of the fact that they are foreigners. Delays in clearing product at customs due to an unwritten policy to harass Western companies. 5.3Regional tensionsStrained relations between countries, be it over disputed borders, religious or ideological differences, or other opposing issues. May lead to increased risk of conflict. Different to 'Sectarian Issues' (6.3)Israel and the Arab countries neighboring it. Can lead to sensitivity about origin of product, restriction of travel routes, etc. 6.0SOCIAL INSTABILITY6.1Civil Unrest A loose term to describe anti-government activities as varied as organized protests, rioting, general strikes, arson and looting, and armed insurrection. May occur at a national level or in one or more major cities, and may result in the use of lethal force by protesters or government security forces.Protests leading up to elections. The Arab Spring. Demonstrations about poor living standards. 6.2Social activism Use of direct, often confrontational action, such as a demonstration or strike, in opposition to or support of a cause. Includes demonstration against BAT, labour unrest (protests directly related to BAT operations or interests. Includes Strikes and Industrial Action (Threat of balloted or wildcat strikes by local employees, whether unionised or not.) Includes disputes with host communities (threat of disputes with host communities over employment, contracting, land use, environmental or similar issues. Disputes may be peaceful or violent in nature and may result in demonstrations, work stoppages, vandalism or other security incidents).A strike at a factory. Anti-tobacco groups vandalising Globe House. 6.3Sectarian issuesIssues of unresolved conflict between nations or people groups that stem from opposing ethnic / religious / tribal value systems; often resulting in misunderstandings, hatred, violence, and war. Any environment where there are individuals subscribed to differing religions or sects, with the followers of one religion / sect viewing the followers of the other with hostility, and vice versa. Internal to the country, or crossing borders within the Area. Different to 'Regional tensions' (5.3)The sectarian tensions in the Middle East (Sunni vs. Shiite), which results in sustained violence (Iraq, northern Lebanon, etc) which poses risks to staff and business operations. 7.0MILITARY ACTION7.1Civil WarA war between factions or regions of the same country.The conflict in Syria which required complete business shut down in 2012.7.2Military Action/UnrestAn internal military engagement of any sort. This encompasses both one off military engagements / attacks, and sustained military campaigns.The 2006 war in Lebanon, between Hezbollah and the Israeli military, which required the evacuation of staff. Nigerian forces in North of country.7.3Insurgent Activity/Guerrilla WarfareA form of irregular warfare in which a small group of combatants such as armed civilians (or "irregulars") use military tactics including ambushes, sabotage, raids, petty warfare, the element of surprise, and extraordinary mobility to dominate a larger and less-mobile traditional army, or strike a vulnerable target, and withdraw almost immediately. Modern day tactics include the bombing of vehicles and human targets, suicide bombings, ambushes, sniper attacks, and traditional hit and run raids. The Iraqi insurgency's fight against the U.S.-led coalition, which posed significant security risks to multinational companies doing business in Iraq.8.0ENVIRONMENTAL HAZARDS8.1Fire (not arson)Accidental (non-intentional fire) such as wild fire / bush fire near BAT site or fire at premises caused by electrical fault.Fire at a factory, warehouse or office.8.2FloodAn overflowing of water submerging land that is normally dryThe 2010 Pakistan floods. 8.3Natural Disaster-specifyLosses of stock, property or other assets due to fire/flood/destruction/other caused by a natural disaster (earthquake, hurricanes, tsunamis, tornados, etc) (Loss Report definition).The 2011 earthquake in Christchurch, New Zealand, which damaged warehouse and distribution infrastructure. 8.4Pandemic An outbreak of a disease that occurs over a wide geographic area and affects an exceptionally high proportion of the population.The 2002 SARS outbreak in China. The 2009 Swine Flu outbreak in Mexico, which resulted in considerable disruption to business operations. 9.0TRAVEL HAZARDSRisk of safety or security incidents during travel, either by road or aviation. Safety threats include dangerous driving, inadequate roads, lack of emergency services, limited or unavailable flights by reliable international carriers, a poor safety record on the part of domestic airlines and/or an inadequate civil aviation infrastructure. Security threats include exposure to assault, robbery and/or violent crime following traffic accidents. For air travel, this includes the threat of terrorist attack or hijacking against aircraft and inadequate aviation security procedures at airports.9.1AirlinesThe standards of airlines available for use in the country. This takes into consideration management practices, fleet age, accident record, alliances, operational training, maintenance, flying environment, national regulatory control, the International Air Transport Association [IATA] IOSA audit, and other factors.Countries like Iran, Russia and some South American countries are known to have very poor aviation safety records, posing a potential risk to business travellers if certain carriers are used.9.2Road Traffic AccidentsA traffic collision (motor vehicle collision, motor vehicle accident, car accident, or car crash). This threat is increased in countries with particularly poor driving standards, poor enforcement of road rules, and poor conditions of roads (upkeep, lighting, signage, etc)Death of field force personnel due to RTA.9.3InfrastructureThe standard of all public and private infrastructure; emergency services, hospitals and medical facilities, roads, public transport, water, electricity, etc. When preparing for a market entry into a developing country, the standard of medical facilities must be assessed in case staff are injured when travelling there. 9.4Anti-foreigner SentimentThe policy or practice of showing hostility toward foreigners, foreign customs, etc. Irrational or unreasoned fear of that which is perceived to be foreign or strange. Anti-American sentiment following the release of an anti-Islam film in 2012, which resulted in protests and vandalism of western embassies and companies perceived to be western in over 20 countries. Western travellers were also assessed to be at risk in certain countries as a result.