by Peter Power
Crisis management expert
Since September 11 2002, there have been repeated warnings of a major terrorist attack on the UK. Despite the potentially devastating impact on British business, many companies do not have the contingency plans in place that will be essential if they are to survive such an attack.
be prepared: Sir John Stevens says an attack is inevitable
Of course a crisis will never happen to your organisation.
It's always going to hit someone else and in any case the emergency services will tell you what to do and besides, we have insurance to cover us. Well, not exactly. Perhaps not at all.
According to previous research in the UK, should disaster strike an organisation that is unfamiliar with Crisis Management and some form of tested Business Continuity Plan (BCP) to fall back on, 12% will probably fail after five years, with only 8% surviving in the long term.
It's that clear. If anyone still has doubts about the wisdom or cost of creating a BCP (a plan to continue key operations in a drama, rather than just recovering the bits afterwards) just ask anyone who experienced a previous major terrorist attack in the UK.
Following Manchester in 1996 for example, most businesses never recovered at all.
It's worth noting that the current UK terrorist threat level (Severe General) includes the words "It is assessed that an attack is a priority for the terrorists and is likely to be mounted".
Moreover, in March of this year, the Commissioner for the Metropolitan Police, Sir John Stevens, said he considered a major attack on London as "inevitable" and no-one has really disagreed with him.
In most terrorist bomb scenarios the police will probably expect you to either evacuate or more likely 'invacuate' (stay inside a building, turn off air conditioning, close windows) and that means practising now.
In such a major incident the authorities will be very busy protecting key services, or what they refer to as the 'critical infrastructure'.
To quote the Chairman of the Defence Select Committee, Bruce George MP, "the private sector will have to look after their own affairs in the event of a major crisis".
So what about your insurance policies? In the UK it is generally accepted that for every £1 of insured costs, anything between £8 and £36 of uninsured costs often exist under the waterline.
This has been referred to as the 'loss iceberg' where the greatest threats, or costs, are hidden out of view, but ready to cause serious damage.
Apart from terrorist or other sensational incidents, equal if not greater corporate damage can come from loss of reputation, retraining costs, investigation costs, adverse publicity, fines/penalties, experience and so on.
These are uninsurable risks, which makes it even more important to understand what might happen in a catastrophe and to make yourself as resilient as possible.
Put another way, if we fail to prepare, we can surely prepare to fail.
Experience has shown that when suddenly faced with any catastrophe - directors, managers, indeed all of us, have a tendency from the outset to try to follow routine or familiar references, sometimes just to keep sane - a sort of displacement action in a world suddenly full of 'un-ness' (events that are unimaginable, unnecessary, unprepared for, unusual, unacceptable)
The more disturbing the situation, the stronger the urge to take refuge in familiar procedures. Yet such procedures are going to be the most inappropriate ones to take since familiar procedures do not work for unfamiliar situations.
I have personally witnessed this phenomenon at major incidents ranging from the Kings Cross Fire in London where over 30 people perished, to terrorist sieges and with hindsight, have been guilty of it myself when faced with catastrophe.
Events where the usual 'mental control panel' seems to have stopped working: all the dials are in the red zone, the data misleading and the 'instruments' mean nothing.
So let's look more closely at what you can and should do now. Not just against the terrorist, but anyone or anything likely damage your people, profits or property.
How do you prepare to be a Crisis Manager and write your own BCP?
Here are just eight ideas:
- Understand what critical or key activities you do, how often you do them, whatever they need to function, threats that could jeopardise them and how long you can accept any down-time. Then look at the options to continue key activities in a crisis, albeit on a reduced scale and above all, how to safeguard your people.
- Identify your preferred Crisis Management team (and alternates if unavailable) and work through a few realistic desk top exercises to understand individual and team dynamics, recognise where subsequent changes might be needed and then try again.
- Make sure your plan is going to be 'crisis friendly'. By that I mean capable of being read by someone actually in a crisis.
- Avoid 'analysis paralysis'. This happens when to many demands and a lot of data is dumped on otherwise busy people who are probably far removed from the board, under funded and simply cannot cope.
- Avoid a Catch 22 situation. Just as preparing a plan that only concentrates on the 'headline' causes may fail if a more mundane crisis occurs, so a plan which is overly concerned with the most probable or expected may fail if fate provides the company with one of the nightmare scenarios.
- Get some professional help. Risk, threat and Business Impact Assessments, coaching and testing have to be researched and delivered properly.
- We are becoming far more interdependent on others so the knock-on effect of any disaster will be felt a long way from the centre. For example, finance and other companies are increasingly outsourcing key call centres and back office functions to India. Telecoms, Facilities Management, Transport and other critical tasks are routinely in the hands of third party contractors and if they fail, so might you.
- Keep everyone involved. Increasingly, shareholders and auditors alike are asking to audit BCP's and to make audit sign offs and further investment conditional on implementation of a fully documented BCP. Learning to do this means more than reading a book. Like swimming, you have to really practise in the safety of the shallow end first.
Peter Power is Managing Director of Visor Consultants Ltd. London (www.visorconsultants.com) and author of the UK Govt. (DTI) issued guidebook 'Preventing Chaos in a Crisis'. He is also a Fellow of the Business Continuity and Chartered Management Institutes, and Emergency Planning Society.
He also took part in the recent Panorama programme discussing a major terrorist attack on London and regularly runs workshops and coaching sessions on Crisis Management.