Could Do Better

Risk Magazine, April 2003

  

How well have companies learnt the lessons from September 11 in terms of their business continuity planning?

Since the events of September 11th 2001, it seems axiomatic to make statements like “ the world has changed forever". In a sense this is true, because any traumatic attack on a superpower is bound to provoke a demand for revenge that can only be satiated by direct and focused action. Such action changes the course of history in ways that cannot be predicted at the time and may take decades or centuries to be fully played out.

The results in the UK are clear to see although the connection is not exact. We have tanks surrounding our major airports, the normally pragmatic Home Secretary talking in apocalyptical terms, the discovery of poisonous terrorist type chemicals in suburban houses, and a million people taking to the streets in an anti-war demonstration.

As usual in Business Continuity, the exact meaning of the question we are trying to answer is open to debate. If we ask “Are large global corporations in the financial world better prepared to deal with a wide-scale disaster that destroys or denies access to a number of their facilities over a wide area?" - I think the answer is a qualified YES.

If we ask “ Are governments in some parts of the world and their associated regulatory and standards bodies taking a much closer interest in Business Continuity? "- I accept the answer is a definite YES.

Unfortunately if we ask, “Are the myriad of other wealth generating sectors of the world’s economy doing much about Business Continuity?" - The answer is NO.

Finally and most telling is a question which could be addressed even to the global financial businesses. “Have you done much to improve your management ability to handle totally random events, regardless of how they originate or what they involve?" Again, with a few exceptions I fear the answer is NO.

The real nature of the modern threat to business is that the specific scenario you plan for probably will never happen. The lessons learned from 9/11 are wide-ranging and important, but can they be applied to an almost unlimited range of threats? One attribute of terrorism is its unpredictability, any Business Continuity Programme must recognise that and be able to react rapidly to mitigate the impact regardless of where or how it is delivered. However, a fire could destroy your business as quickly as a terrorist bomb and is many times more likely to happen. Inappropriate handling of the media during a serious incident might ruin a company quicker than any physical incident. The current pre-occupation with terrorism and large-scale attacks on financial centres seems to me to mirror the old adage about generals always fighting the last war not the current one. By definition, if we knew exactly what was going to happen when and where, we could almost certainly prevent it or at least minimise its impact.

There are clearly limitations in current Business Continuity thinking but it is only fair to recognise the many positive actions taken since 9/11 by individual companies and some Governments. For example, all of the companies regulated in the UK by the Financial Services Authority (FSA) had to provide very detailed analysis of the actions they had taken to better protect themselves in the light of the US experience. The questions were detailed and the submissions extensive, however as one very experienced BCM Manager told me "We answered honestly but did not volunteer information that was not requested and gave it our best possible spin. To be realistic, it sounded a lot better than it really is".

Similar positions are being taken across the Atlantic. On my first visit to New York after 9/11, I had the opportunity to visit a 50-story building almost adjacent to Ground Zero and talk to BCM staff that had been working in the building when it happened. One thing that seemed interesting to me was the way that (3 months on) attitudes had changed from the initial emotional cross-functional support to defensive and protective ones. Nothing discussed could be repeated or published without legal clearance, no decisions (however simple and routine) could be made without the highest possible approval level being demanded, and everyone was terrified - not of another attack - but of the consequences on insurance or legal claims of a wrong word or bad decision. BCM professionals were getting increasingly frustrated that programmes that were already in train were being stopped for no practical or rational reason - other than fear of doing something wrong. In addition, economic concerns were putting pressure on budgets with security, disaster recovery and business continuity on the "hit-list".

This contrasted sharply with what the press were telling us about Business Continuity being top of the Board Room Agenda, right across corporate America. I have taken the opportunity over the past 15 months to speak to as many people as possible who personally have worldwide responsibilities for BCM across global businesses. Most of what I hear is that initially there was a great top level interest in the subject but from about 6 months onwards it became more and more difficult to get time with senior executives to discuss even the most critical BCM issues.

This is largely because, in the financial world, most of the BCM issues are perceived as relating to technological resilience, not softer concerns like appropriate crisis management style or psychological impact on staff. Many technical lessons were learned and generally put in the public domain via conferences, seminar and articles. In particular the problems created by multiple locations being affected by the same disaster had caused some surprises to many organisations.

Some major international banks had as many as 10 locations denied access at the same time. Evacuation points, fallback working locations, command/control centres and IT/ Telecom nodes may have been simultaneously affected. Often their plans simply did not envisage such a wide-scale disaster. The role of Disaster Recovery service companies, their contracts and obligations, also come sharply into focus, although to my knowledge most of these specialist providers responded well.

There was immediate media questions on issues like should high profile business communities all be located in the same area? Would key staff refuse to work in such high-rise buildings? With everything now electronic, do we really need The Square Mile or Canary Wharf? The questions are reasonable ones, but purely theoretical. I see no major financial institution closing a prestigious head office or moving out to anonymous addresses in the provinces. I now see BCM concepts within the financial world reverting to pre 9/11 normality. Some lessons have been learned, technical deficiencies have been corrected, more tests undertaken and a lot of articles written and conference presentations given. The subject is still on the Board Agenda but only just and is rapidly sliding back to its roots in IT or as a subset of Risk Management. Yet, if exactly the same type of incident occurred today some companies would be a bit smarter in recovery of systems, hopefully save a few additional lives with better evacuation procedures but nothing fundamental has really changed. BCM philosophy is still largely not embedded in corporate culture, the Board technically own BCM but are not intellectually or emotionally engaged and it is seen as a set of technical solutions not as a holistic way of managing a business.

John Sharp (CEO of the Business Continuity Institute) tends to agree. He points out that “ although many organisations in both the public and private sectors claim to have Business Continuity in place, once you scratch below the surface many plans are not properly tested, staff are hardly trained and no overall BCM ethos really exists. Much has been done, but there is still a long way to go”. To this end the BCI have recently launched a BCM Good Practice Guide with supporting audit and benchmarking toolkits. Dr David Smith (Chairman of the BCI Education Committee and main author of the BCI Good Practice Guidelines) believes the tide is about to turn for BCM. He calls 2002 the ” Year of the Regulator “, the time when financial regulators across the world got serious about Business Continuity. The recent US White Paper submitted jointly by the Federal Reserve Bank, the Comptroller of the Securities and the Exchange Commission went further than ever before in demanding mandatory standards. Although certain impractical elements have had to be modified such as the proposed 200-mile distance between primary and backup sites, much of the other demands are likely to find their way into legislation. The FSA have prescribed less, claiming to prefer gentle encouragement to tough rules. However the Managing Director in charge of BCM at the FSA, Michael Foot, is deeply committed to BCM and leaves no one in much doubt of his expectations.

So where does this leave the rest of the business community, those not part of the global financial infrastructure? In my view, they are in much the same position as on the 10th September 2001. I see no real evidence of any BCM improvement in most of these companies although some, particularly in retail when supply chain continuity is vital, are forging ahead. For example, Russell Husband of the John Lewis Partnership told me: “ For us, not having Business Continuity is unthinkable, we are building it throughout the organisation as part of our commitment to best retail business practice “.

Initiatives like the BCI Good Practice Guide and the various regulatory bodies' guidelines are all moving commercial businesses in the same direction. Similarly the expected UK Civil Contingences Bill will probably make Business Continuity a formal legal requirement for local authorities. Maybe 9/11 was a wake-up call and maybe some companies would prefer to go back to sleep. I don't think they will be given that luxury for much longer. Return to Menu...


Lyndon Bird FBCI

  
   
   
 
Link to Us!