5.6 Business continuity planning
An organisation's strategy regarding insurance for its business risks is no substitute for high-quality risk management and emergency preparedness to address all contingencies. Some incidents we have mentioned above. Others may involve IT security for example. While the day-to-day activity of an organisation may not be particularly hazardous, it can still be affected by a hazard not of its own making. Examples might be a natural disaster such as flooding, or a hazardous activity on an adjacent site. Unfortunately, in today's society commercial undertakings or places where people gather can also be a target for terrorist activity. One strange twist is the targeting of catering outlets as they are places where people congregate. Also, some fast-food outlets are regarded as being ‘legitimate’ targets because they are perceived as a symbol of western capitalism. The risk was highlighted in an article in a trade journal with the rather attention-grabbing headline: ‘Spy chief warns food industry over terrorism’ (Anon, 2003, p .2). The article reported that ‘in a rare move’ the head of MI5 had issued a warning to the food and chemical industry that it was vulnerable to a possible terrorist attack as it posed ‘a very attractive target’. The changing nature of terrorism resulted in threats to new industrial sectors. As a result, police had been advising food manufacturers and distributors about security measures to help prevent a terrorist poisoning of food supplies. Should such an attack ever take place, or more importantly should an attack ever be claimed to have taken place, effective emergency planning would be essential. There would be an urgent need for an effective food recall system to withdraw suspect food from sale, and warn the public. You will have noticed from Table 9 that tampering with products has caused significant loss to companies in the past.
Of increasing concern is the risk of what is euphemistically referred to as ‘collateral damage’, where an organisation might be affected by terrorist activity aimed primarily at some nearby target. This was a major feature of terrorist attacks on the city of London, particularly the St Mary Axe bomb (April 1992) and the Bishopsgate bomb (April 1993). Similar problems were experienced after the Canary Wharf bomb (February 1996) and the Manchester city centre bomb (June 1996).
St Mary Axe is a street in the City of London, near the Baltic Exchange. On 10 April 1992, a terrorist bomb hidden in a transit van exploded. Three people were killed and about 130 injured. The bomb left a crater about 4.3 m deep and 4.5 m in diameter. One 2 m piece of debris was blasted over 600 m, and part of the vehicle was found on the seventh floor of the NatWest Tower. The ground shock was felt 13 km away.
One organisation affected was the Commercial Union insurance company. Their 23-storey office block (the St Helens building) lost every one of its windows. Fortunately, they had effective business continuity plans in place and their response to the incident is an example of good emergency planning practice. The Commercial Union response is summarised in the following information box.
Box 2: Crisis – a timetable for recovery
Following a bomb blast at 21.20 in the City of London on Friday 10 April 1992, Commercial Union activated its disaster recovery plan within three hours. All communication links, including the telephone switchboard for the entire London area, had been lost.
At 07.30 the next morning there was a crisis meeting of directors and senior managers at which four prime considerations were identified:
How to reinstate telephone links for 3600 extensions in the London area offices by Monday morning.
How to accommodate 650 staff.
How to provide them with necessary telephones, furniture and computers.
How to inform customers and intermediaries about arrangements for Monday morning.
By 10.00, the crisis team had, by reference to the disaster plan, established:
that the switchboard could be reconstituted at their computer centre near Croydon;
that data requirements could be met by linking the mainframe to new screens in new locations;
contact with telecommunications and information technology suppliers to reinstate communication and order extra equipment;
the need to ‘cascade’ information down through the organisation, so that all 650 staff would have the facts and know what was expected of them on Monday morning;
staff numbers in each business area and the amount of in-house office space in and around London;
that market requirements meant that certain staff had to be relocated within the City straight away;
that, as an investment house as well as an insurance company, a replacement trading floor would be needed by Monday morning.
On Monday 13 April, the national press carried adverts confirming ‘business as usual’.
On Tuesday 14 April, 631 of the 650 staff were working as usual. The remainder were either working from home or on holiday. The Annual General Meeting of the company was due to be held on this day.
At the appointed time for the AGM, the date and time of which had been fixed in advance, a quorum of shareholders met as close to the original venue as deemed safe by the police and passed a resolution to reconvene at the new venue.
At 14.00 on 14 April, the AGM was held ‘as though nothing had happened’.
(Source: Commercial Union Risk Management Ltd)
Insurers and their loss adjusters now expect organisations to have taken appropriate actions to protect themselves against foreseeable hazards. So do other stakeholders, and especially shareholders.
Unfortunately, the threat from terrorism is now regarded as foreseeable. A survey covering 421 organisations from a broad spectrum of business service sectors, dispersed evenly throughout the UK, was conducted in 1993, the year after the St Mary Axe bomb. This looked at how the organisation would cope if they no longer had access to their computerised information systems. This survey found that 43 per cent of responding organisations still had no contingency plans at all (IBM, 1993). Reliance on computerised systems has, of course, increased enormously since then. Also, many ‘business critical’ applications are now held on desktop machines that even a comparatively small emergency such as an office fire may render inaccessible.
In some cases the need to plan might be an administrative requirement, for example one imposed by insurers as a condition of providing cover. In other cases it might simply be sound business sense. As official guidance notes:
Many businesses fail as a result of various types of major emergency – storm, flood, fire, terrorism, product contamination or pressure group activity. Experience shows that those businesses which have considered potential hazards and prepared response plans, which often need be no more than a few pages in length, have a much greater chance of surviving than those who are unprepared.
(Cabinet Office, 2003, p. 13)