Businesses across the country all felt the impact of the world’s greatest sporting event coming to London in August. Allen Johnson considers what organisations should do to prepare themselves against the risk of a major incident.
The world tuned in to London last month as the Olympic circus rolled into town. Aside from the huge crowds and media frenzy, the inevitable consequence of all this extra attention was an increased risk of a major incident. Security services and civil authorities were on high alert and working around the clock to minimise the risk, but it was a risk that could not be totally eliminated. At the time of going to press, the Paralympics had just got under way and those raised risk levels remain.
Business continuity should not, of course, be determined by high-profile events. Businesses can and should prepare themselves, first by imagining the ways that their processes and properties may be affected and then planning contingencies.
To get an understanding of what this might mean, we can go back to the London bombings of July 2005. The first the public heard of events on the day was via reports from the tube operator of explosions on the London Underground, due to electrical power surges in central London up to Edgware. It quickly transpired that the electrical bangs were bomb detonations, including an incident at Edgware Road tube station. Edgware Road tube station is a long way from Edgware, but this is an example of how incomplete or unconfirmed information leads to distortion.
The 7 July event was not a “terrorist attack” until it became known as such. Instead, it was an “attack by terrorists”; the difference is subtle, but important — and the real consequence was not realised until the story of what had happened began to unfold. In the fullness of time, the consequences were in the public domain and each had his or her own take on the effects of what had happened and how they felt about it.
What many have forgotten, however, was the events of two weeks later on 21 July, when the second and ‘real’ terror attack occurred. People now knew what could transpire and it was on this date that the emotive reactions associated with terror kicked in with vigour.
After the dust had settled
That which is adjudged to be a terrorist attack will precipitate the rapid shut-down of transport networks; road, rail and air will be affected in minutes. Emergency services will be stretched beyond normal capacities and the abilities of people to conduct their lives in normality will be disrupted to varying degrees. For as long as they need it, the emergency services will commandeer voice bandwidth and everybody else will have to wait. Whatever has happened will not materialise until the truth has fought its way through the clamour of speculation, misinformation and disinformation.
Organisations will be tasked with maintaining ‘business as usual’ but insufficient resources and what is currently a dire economic climate will exacerbate the difficulties in doing so.
There are a number of ways in which businesses can help themselves. The first is to assume such a catastrophe will happen — this will remove some of the surprise factor. It will help you start seriously considering what you can do to resolve the impact of such events on your organisation. This is a boardroom subject and requires buy-in on that level if the organisation wishes to stay on course to meet its corporate objectives.
So the message is: do not sit on your hands. Establish viable plans today in order to protect the net worth of the organisation and its reputation. As a minimum, plans should address threats to operations through injury or loss or unavailability of personnel, computer and communications technologies, premises and assets.
Such plans should be flexible and interpretative: avoid planning specifically for fire, flood, terrorist attack, criminal acts, epidemic, power loss, catastrophic IT failure, lightning strike, weather extremes, or civil unrest because the more prescriptive the document, the bigger it will become and it will have no end.
Plans should provide concise guidance on communications with those audiences that you believe would have an appetite for information ranging from, but not confined to staff and head office. Such parties could be next-of-kin, current and prospective customers, stakeholders, press and media, insurers — and any external third parties that may be useful.
Plan your communications for each audience and create draft messages and clearly documented guidelines. They should address what is to be communicated; how it is to be done; when will it be done; and who will do it. Nominate a spokesperson who has the authority to publicly represent the organisation.
An effective communications strategy is one of the most essential elements, but also one of the first things that can go wrong.
If home working is a realistic option, the following points should be considered:
- Provide home workers with access to job-specific software
- Confirm passwords and security permissions are correctly applied such that remote access is possible and in-house standards are not compromised
- Check bandwidth provision is adequate, especially in terms of the fully loaded concurrent demands upon systems
- Make available solutions and work-arounds to common problems
- Test the proposed solution to destruction.
If home working is not a realistic consideration, then focus more on practical alternatives and their associated logistics, including shared transport and other parochial needs. Remember: the only way to know for sure if contingency plans actually work is to test them.
Preparing the organisation
Once measures are established, ensure senior management knows what to do and how to do it. Two or three desktop exercises should achieve this, if carried out objectively. As a minimum, your plans must have defined roles and responsibilities so that management understands how the response will be organised in extremis.
Tell everybody by means of a presentation what has been done to protect the organisation and thereby their livelihoods. Doing this via emails is certainly easy, but simply does not have the same impact.
Finally, look after your people. Your team may be asked or expected to undertake extra responsibilities and duties, so give consideration of their needs — food, drink and bathroom facilities, resources to allow them to do what is required of them, the extra tools they need to go about their duties in safety, security and relative comfort, and anything they may need to deal with any emerging domestic matters.
There’s a tendency to place responsibility elsewhere for certain kinds of planning, especially when it involves activities outside of the everyday routine or business area. Some may claim that responsibility for business continuity related to major national events belongs to the civil authorities. In many respects it is definitely the case.
However, if the aftermath of one or more serious incidents includes the lock-down of transport networks, the rolling repeats of the media and the continued speculation that ensues, responsibilities that seemingly belong to somebody else, could belong to us all.
