Resources
Continuity Planning
Could your business recover and continue trading after a major security incident?
Accidents, criminal acts, vandalism, natural disasters, terrorist attacks and security breaches at some point in the future could affect the operation of your company. Do you have contingencies in place when such events occur? Could your business recover and continue to trade after a major security incident?
Outside forces can damage your business, be it an act of sabotage or a catastrophic explosion which not only affects you but the whole operation and infrastructure of your business.
A major terrorist incident could have the following consequences:
- Loss of staff through death orinjury.
- Damage to your buildings.
- Loss of IT systems, records, communications and other facilities.
- Unavailability of staff because of disruption to transport or their unwillingness to travel.
- Adverse psychological effects on staff, including stress and demoralisation.
- Disruption to other organisations and businesses on which you may depend.
- Damage to reputation.
- Changes in the business demands placed on your company.
You will need the right resources to maintain your critical business functions. These are likely to include:
- Sufficient people with necessary expertise and motivation to lead and manage the organisation.
- Access to key records and ITsystems.
- Reliable means of communication, especially with your staff.
- The ability to carry on paying staff, to ensure their safety and to provide them with welfare and accommodation.
- The ability to procure goods and services.
- The ability to respond to demands from the media.
The Importance of Planning
External security incidents may be beyond your control but by having tried and tested plans in place, coupled with highly trained and capable personnel, your company will be able to cope and recover.
Contingency Planning, Disaster Recovery and Business Continuity
There is often a lack of understanding as to what is a contingency, a business-continuity and a disasterrecovery plan. This often hampers the performance of your security people in a crisis situation.
Developing and Maintaining an Effective Plan
Your plan should only include that which is relevant to sustaining the security of your business and your personnel. The plan should make sense to all staff and be communicated effectively across your business.
Advantages of Multi-skilled Security Officers
In the past, many companies had designated Security Officers, Fire Wardens, First Aiders and Health and Safety Officers. However, recent times have seen the emergence of the multiskilled security officer trained to cover additional responsibilities such us:
Then:
Security Guards, Fire Wardens, First Aid, Health and Safety officers
Now:
Security Officers, Security Officers, Fire Wardens, Security officers and First Aid, Security Officers and HSE
Disadvantages:
Ring-fenced functions, Limited Flexibility, More Cost
Advantages: Cross Compliance, Better understanding of Security Technology 24/7 Support for key functions Better Security officer integration with core business Cost Effective Better security officer continuityand retention Peace of mind.
Having multi-skilled security personnel can offer you more protection and disaster recovery plans.
National Contingency Support Programmes
At the local level, the Civil Contingencies Act 2004 requires local authorities to provide advice and assistance to businesses in relation to business continuity management. You should consult your Local Authority website for further details.
There are also programmes across the UK that you may be able to tap into when developing your own contingency plans.
Case Study: City of London Police - Project Griffin
Developed by the City of London Police, Project Griffin has a remit security officers and employees of large public and private sector organisations across the capital on security, counter-terrorism and crime prevention. The Project brings together and coordinates the resources of the police, emergency services, local authorities, business and the private sector security industry.
Organisations registered with the Project take part in a one day security-focused seminar, which can be geared to their specific needs. This enables organisations to target their specific concerns whilst sharing best practice across a range of security issues. This is followed up 12 months later by an online refresher package.
Following its success in London, Project Griffin has now been adopted by over 20 other UK police forces, and has generated interest and acclaim from overseas (Hong Kong, Australia and the US in particular).
Corporation of London
In 2004 the government introduced the Civil Contingencies Act to enhance the capabilities of the Corporation of London to respond efficiently to emergencies. It covers the way the Police and local authorities plan and prepare for security incidents.
This legislation requires the emergencyservices to communicate and work together on all aspects of emergency planning.
The Corporation of London and the Cityof London Police have established the City of London Contingency Planning Team (COLCPT) to help the city businesses to be more efficient in their response to security emergencies.
Project Argus
Project Argus is a National Counter Terrorism Security Office (NaCTSO) initiative which explores ways to help organisations prevent, handle and recover from a terrorist attack. It achieves this by taking businesses through a simulated terrorist attack. The event allows the client to explore their options; what is likely to happen in the event of a terrorist attack; how their continuity plans (if any) function, and what their priorities should be. The events are free and are ideal for businesses of any size. The events take place around the country and have involved constabularies from around the country, including Merseyside, Bedfordshire, North Wales and Cambridgeshire.
www.nactso.gov.uk
Contingency Planning Saves Lives
When those two planes struck the Twin Towers on September 11th 2001, Morgan Stanley activated their contingency and continuity plan to safeguard the lives of their employees. In the first 20 minutes between thefirst and second planes crashing, their evacuation plan was implemented.
This plan was developed after the 1993 terrorist attack on the World Trade Centre. Most of the 3,700 employees were off the high floors by the time the second plane struck. Six employees were killed in the attacks; considerably fewer than other businesses in the Twin Towers.
Operations managers acted promptly to ensure Morgan Stanley could continue operating. Employees walked 22 blocks to their back-up site to turn the computers on.
By 9:20am the back-up site was live and by 9:30am senior management had relocated to another back-up site that became their command facility.
In the attempt to locate their 3,700 employees, as per the plan, Morgan card facilities in Phoenix to a toll free emergency hotline. By 11 am the number was appearing on national television and by 1:30pm the centre had received over 2,500 calls. New York’s City’s phone system suffered failures within one hour of the attacks so Morgan Stanley accessed a dedicated phone line to their London office, which enabled them to call their Chicago Office.
Morgan Stanley recognised that itwas not only important to get back to business quickly and as efficiently as possible but that it had to ensure that its employees were coping with the situation. Three hundred grief counsellors were hired to help traumatised employees and to train mangers on how to respond to their fellow employee’s difficulties in coping with the aftermath of the incident.
A key part of Morgan Stanley’s efficient reaction during this incident was the way in which their highly trained security personnel responded.
Are you Prepared?
Businesses need to be prepared for any eventuality. In 2005 the explosion at the Buncefield Depot in Hemel Hempstead caused huge disruption in the South East; this and other events, such as 7/7 in London, have demonstrated that businesses are not immune from disaster. Yet research conducted by the London Chamber of Commerce and Industry in 2005 amongst South East firms revealed some alarming statistics in relation to contingency planning, disaster recover and business continuity.
These statistics are alarming, particularly as in May 2006 65% of London firms still believed another attack like 7/7 was inevitable. In addition, three quarters of company directors in the capital believed that London’s transport network was no safer than it was before the 2005 bombings. Companies in the capital have failed to learn the lessons of 7/11 and 7/7, with many now less prepared to withstand a major incident. The proportion of all firms with contingency plans in place had fallen from 46% to 41%.
So ask yourself the following:
Do we have a plan for?
- Contingency
- Disaster Recovery
- Business Continuity
- If so when did we last review the plan? Is it current?
- Does it comply with BS7799* or another external body?
- Who owns the plan? Who is responsible for implementing it?
- What are our critical success factors for each plan?
- Who knows we have a plan?
- What expertise can I use to build our plan?
Conclusion
At some time in the future you will face the challenge of recovering from a security incident. How you respond when it occurs will determine your ability to trade in the future. We recommend that you develop a continuity plan that is structured, involves your people, has been tested and fully utilises the skills of modern day security best practice.
Further Advice
A wide range of advice on business continuity is available and much of it is free. The Government’s Preparing for Emergencies website www.pfe.gov.uk provides extensive information for businesses, including the booklet ‘Expect the Unexpected’. This booklet is jointly published by the police National Counter Terrorism Security Office, London First and the Business Continuity Institute. More detailed advice for business continuity professional can be found at www.ukresilience.info.
The London Chamber of Commerce and Industry has also published guidance for businesses on how to draft and implement a business contingency plan, entitled ‘Crisis Management and Business Continuity Planning: A programme for Business Survival (see www.londonchamber.co.uk).
Useful Websites/References
www.ukresilience.info
www.citysafe.org
www.londonchamber.co.uk
www.pfe.gov.uk
www.projectgriffin.org.uk
www.nactso.gov.uk
* BS7799 is a standard setting out the requirement for an Information Security Management System. It helps identify, manage, and minimise the range of threats to which information is regularly subjected.
