Creating operational resilience, protecting business reputation and adding value rather than just responding to emergencies are just a few strategies in order to prevent terrorism posing a threat to business continuity, both directly in its potential to interrupt operational activities and indirectly through the changes in business resilience methods needed to prevent it occurring or at least mitigate its impact.
Despite its roots in Disaster Recovery, Business Continuity Management (BCM) in 2011 is about very much more than the earlier confusion between Emergency Response and Business Continuity, as disciplines is largely resolved; both play key parts in dealing with any major incident. Failure to address either the response or the continuity elements effectively has potential to escalate even a small incident into a full blown crisis situation very rapidly. In particular, amongst the many threats that businesses and other organisations face, terrorism is the one that has immediate resonance with the public.
Facing global risks head on
No one will forget the images of 9/11 and the political and social upheaval it caused, outcomes which are still unresolved a decade later. The 7/7 London bombings, the destruction at Atochi station in Madrid, the orchestrated attacks on international hotels, transport hubs and cafes in Mumbai have left impressions on the British, Spanish and Indian communities that will never be really erased.
Whilst no-one can argue about the human and social impact of terrorism, there is much less consensus about its real significance as a business risk. International consultants PWC have undertaken research into the main global risks that are causing concern to CEOs across the world. Interestingly, terrorism only came into the top 20 at number 17. Admittedly some of the other concerns could result from successful terrorist attacks, such as “security of supply chains” (13), “government protectionism” (11) and “energy costs” (6), but these are also outcomes that could result from many other geo-political factors.
In recent Business Continuity Institute (BCI) supported research, evidence also seems to indicate that like their CEOs, most BCM professionals have little or no experience of terrorist attacks or consequential loss. They also see an imminent business interruption due to terrorism as much less likely to occur as from many other threats and hazards. Such issues like extreme weather, transportation disruption, loss of key staff through epidemics, IT failure, cyber crime and long supply lines all cause them more concern.
More evidence comes from the 2010 Chartered Management Institute (CMI) survey into diverse business risks, where terrorism came bottom of a list of 21 actually experienced incidents during the previous year. This was the same in each of the previous ten years in which the CMI asked this question. Not surprisingly, when asked about impacts of these different threats, terrorism did score higher but still was not amongst the top 10 most significant potential business losses.
Taken together, this could lead to an assumption that from a risk management point of view, terrorism is unlikely and the impact should it happen is moderate. Therefore, one might argue that it should not be treated as a priority risk when determining security and resilience policy. This conclusion does not, however, sit well with any common-sense sanity check – the perception of terrorism (like violent crime) might well be greater than the realisation but it is often perception, not facts, that drives markets and causes perfectly viable businesses to fail.
The research work of Knight and Petty at Oxford has become a cornerstone of BCM and crisis management thinking since it demonstrated the close link between success in managing crises and shareholder value. The experiences of BP and perhaps to a lesser degree Rolls Royce in 2010, were ample demonstration of this. So how much worse would the situation have been had there been a terrorist dimension?
Many airlines have had crashes with major loss of like over the past 20 years but how many can you remember? Unless it is an area of particular interest for you, or you sadly had some personal involvement, probably hardly any.
Have any global air carriers gone out of business as a result of a pilot error, air traffic control mistake or mechanical failure? I suspect very few if any. However, who will ever forget the Pan American Airlines evening flight to New York that was blown up over Lockerbie so many years ago? Although the probability of such an incident occurring is very low and the direct results (i.e. loss of lives) identical to other loss scenarios, PanAm, at the time the world’s largest airline) very quickly ceased to exist.
There is no doubt that the terrorist threat and perceived inadequate management in dealing with it is an image that few companies could handle without enormous impact on their business credibility. It would therefore be unwise to concentrate management effort on dealing with fire, floods, IT failure, pandemics, volcanic ash and labour unrest, and ignoring the unlikely but ever present catastrophic threat posed by terrorism. From a business continuity viewpoint, this is easier to rationalise than from a conventional risk management standpoint.
Many organisations have well established risk management programmes, maintain detailed risk registers and successfully embed this process into departmental objectives. Whilst very effective at dealing with Business As Usual (BAU) risks, many companies are less successful at dealing with catastrophic risks such as terrorism.
Most risk models are theoretically quantitative to some degree and as such need to reconcile and give values to things that are not always compatible. How do you compare a high impact, low probability threat with a low impact, high probability hazard? In most risk methodologies they will be given similar importance, thus over emphasising the importance of minor incidents that are best handled by day to day improved management practices.
The BCM practitioner is not very concerned about probability, he or she always turn their attention to worst case consequences and the time-scales available for recovery. Business continuity is geared towards resilience and protecting assets and value. In fact, the definition now almost universally accepted for the subject states that it provides a framework for building resilience and the capability for effective response. Its purpose is to protect the interests of stakeholders, reputation, brand and value creating activities.
I am often asked how well companies learnt the lessons from 9/11, 7/7 and other attacks. Certainly security is more obvious and invasive at airports and entry to public buildings. In countries with relative low labour costs like India and China, the number of security guards is enormous and causes delays and frustration to everyday life.
If we ask, “Are large global corporations in the financial world better prepared to deal with a wide-scale disaster?”, I think the answer is almost certainly yes. If we ask, “Are governments in some parts of the world and their associated regulatory and standards bodies taking a much closer interest in BCM?”, the answer is definitely yes.
Unfortunately if we ask, “Are the myriad of other wealth generating sectors of the world’s economy doing much about business continuity?”, I fear the answer is no.
Finally, and most tellingly, is a question that could be addressed quite widely even in countries like the US and UK. “Have CEOs done much to improve the overall management capability to manage random catastrophic events?”. Again with a few exceptions I fear the answer is no. The idea that the threat is unlikely to be realised is still often used to justify lack of planning – but actually million to one chances happen all the time. Despite risk management theory, this is still self-evidently the case.
The lessons learned from terrorist attacks are wide-ranging and important, and can help manage a number of similar threats. One attribute of terrorism is its unpredictability; any business continuity programme must recognise that and be able to react rapidly to mitigate the impact regardless of where or how it is delivered.
Inappropriate handling of the media during a serious incident might ruin a company quicker than any physical incident. Concentrating too much on the actual scenario tends to feel like the old adage about generals always fighting the last war not the current one. By definition, if we knew exactly what was going to happen when and where, we could almost certainly prevent it or at least minimise its impact.
After 9/11 there were many speculative theories around. Would key staff refuse to work in high-rise buildings? With everything now electronic, do we really need temples of capitalism like Canary Wharf in London? The questions seemed reasonable, but were never going to impact business life significantly. No major financial institution closed a prestigious head office to move to an anonymous address in the provinces. BCM concepts within the financial world rapidly reverted to pre incident normality.
Learning the lessons
Some lessons have been learned, technical deficiencies have been corrected, more tests undertaken, and a lot of articles written and conference presentations given. The subject is still on the board agenda but only just and often slides back to its roots in IT or as a subset of risk management. Yet, if exactly the same type of incident occurred today some companies would be a bit smarter in recovery of systems, hopefully save a few additional lives with better evacuation procedures but nothing fundamental has really changed.
BCM philosophy is still largely not embedded in corporate culture, the board technically owns BCM, but is not intellectually or emotionally engaged and it is seen as a set of technical solutions not as a holistic way of managing a business.
For more information: