Security services and civil authorities are on high alert and working tirelessly to minimise risks but risks cannot be totally eliminated. Businesses can and should prepare themselves, firstly by imagining the ways that their processes and properties may be affected and then planning contingencies.
To get an understanding of what this might mean we only need to go back to the London bombings of July 2005. Events reached the public ear with reports from the tube operator of explosions on the London Underground due to electrical power surges in Central London up to Edgware station. It quickly transpired that the electrical bangs were bomb detonations including an event at Edgware Road tube station. Edgware Road tube station is 11 miles from Edgware station, the latter being nowhere near any of the events that transpired on that day but this is an example of how incomplete or unconfirmed information leads to distortion.
The events highlighted the swiftness of the response by the Emergency Services and how the incidents were managed. This attack claimed the lives of 52 victims with approximately 700 more injured; physically and mentally.
Scenaris personnel heard initial reports on the radio about 30 minutes into the breaking news, and when a second “bang” was in the public domain we straightaway drew the conclusion this was not an electrical fault of any description but a terrorist attack and we responded accordingly. The advice we gave to those customers we contacted in the following minutes was succinct and was described by some as “crucial” in how they formulated pragmatic strategies to deal with the circumstances.
The 7 July event was not a ‘terrorist attack’ until it became known as such. Instead, it was an ‘attack by terrorists’ – the difference is subtle, but important – and the real consequence was not realised until the story of what had happened began to later unfold. In the fullness of time, the consequences were in the public domain and each had his or her own take on the effects of what had happened and how they felt about it.
What many may have forgotten, however, was what happened two weeks later on 21 July when the second and the real ‘terror attack’ occurred; people now knew what could transpire and it was on this date that the emotive reactions associated with terror kicked in with vigour.
The global reach and exposure of the games has the potential to attract other serious and unwanted incidents. I will not speculate as to what they may be, but more to suggest of how to cope with the outcomes.
Whatever is adjudged a terrorist attack will precipitate the rapid shutdown of transport networks and road, rail and air will be affected in minutes. Emergency Services will be stretched beyond normal capacities and the abilities of people to conduct their lives in normality will be disrupted to varying degrees. For as long as they need it, the Emergency Services will commandeer voice bandwidth and everybody else will have to wait until the mobile networks return to some semblance of normality. Whatever has happened will not materialise until the truth has fought its way through the clamour of speculation, misinformation and disinformation.
Organisations will be sucked into the turmoil of having ‘business as usual’ but insufficient resources with which to do it and the current dire economic climate will exacerbate difficulties. But there are a number of ways in which businesses can help themselves and I’d like to share them with you:
Assume it will happen
This will remove much, but not all, of any element of surprise. It will help you to start getting your head around what you can do to resolve the impacts of serious and unwanted events upon your organisation. This is a boardroom subject and requires total support if the organisation wishes to stay on course to meet its corporate objectives. Do not sit on your hands.
Establish viable plans in how to deal with the impacts of such incidents in order to protect the net worth of the organisation and its reputation
As a minimum, plans should address threats to operations through injury or loss or unavailability of:
- Computer and communications technologies.
- Premises and assets.
Plans should be flexible and interpretive. Avoid specifically planning for fire, flood, terrorist attack, criminal acts, epidemic, power loss, catastrophic IT failure, bird flu, weather extremes, civil unrest etc. because the more prescriptive the document, the bigger it will become and it will have no end.
Plans should provide concise guidance on communications with those audiences that you believe would have an appetite for information ranging from, but not confined to:
- Staff and head office.
- Current and prospective customers.
- Trading partners
- Press and media.
- External third parties that may be useful.
Plan your communications for each audience and create draft messages and clearly documented guidelines as to what is to be communicated, how it is to be done, when it is to be done, who is to do it and what will be communicated in future.
Nominate a spokesperson who has the authority to publicly represent the organisation. An effective communications strategy is essential and it is the hardest part to get right and the easiest part to get wrong.
There are software packages in the market that automate much of this requirement and we will freely share with you the details of what differentiates one from another.
If this is a realistic consideration ensure those working from home are provided with:
- Appropriate technology to achieve their ends in terms of access to software solutions upon which they depend.
- Appropriate security and associated permissions applied such that they do not compromise in-house standards.
- Sufficient bandwidth to accommodate their fully loaded concurrent demands upon systems.
- Solutions or work-arounds to problems they may encounter when not in the usual place of work.
Then test the proposed solution to destruction.
If home working is not a realistic consideration, e.g. for shop workers, factory workers etc. then focus more on practical alternatives and their associated logistics, including shared transport and other parochial needs. The only way to know if plans amount to anything worthwhile is to test them.
Prepare the organisation
Once measures are established, ensure senior management knows what to do and how to do it. As few as two or three facilitated and objectively driven desktop exercises should achieve this. As a minimum, your plans must have defined roles and responsibilities so that management understands how it is organised in extremis.
Tell everybody in the organisation by a presentation of what has been done to protect their livelihoods and thereby the organisation – doing this via emails is easy but just does not work.
Look after your people
People may be asked or expected to undertake extra responsibilities and duties so give consideration of their needs, e.g.
- Food, drink and bathroom facilities.
- Safety, security and relative comfort.
- Resources to allow them to do what is required of them.
- Problems they may encounter or issues with which they may require help, particularly domestic matters.
There’s a tendency to place responsibility elsewhere for certain kinds of planning, especially when it involves activities outside of the everyday routine or business area. Some of us may point out that responsibility for business continuity for the Olympics is something that belongs to the Olympic Executive and the civil authorities. In many respects it is definitely the case.
However, if the aftermath of one or more serious incidents includes the lock down of transport networks, the rolling repeats of the media and the continued speculation that ensues, responsibilities that seemingly belong to somebody else, could belong to us all.
Allen Johnson is a managing consultant with business continuity management specialists Scenaris Ltd. Email: firstname.lastname@example.org