Terror, flood, fire, disease: how to plan for the worst
The 21st century is proving to be a risky time to do business. What are the greatest dangers and how can firms prepare for them? asks Scott Payton
Terrorism
‘It’s highly likely that there will be a no-notice terrorist attack at any moment,’ says Lord West, under-secretary of state for security and counter-terrorism. ‘I always equate it to having had a triple heart bypass and being told by a consultant that it’s highly likely that you will die. That’s what “highly likely” means.’
Indeed, speak to the head of security at any London-headquartered company and you’ll hear talk not about ‘if’ another attack occurs, but ‘when’. ‘It’s inevitable,’ says the security chief of one major investment bank.
The nature of this threat is very different from that faced by UK towns and cities in the seventies, eighties and nineties, Lord West adds. ‘The IRA was much more focused. The terrorist threat we are up against at the moment is aimed at destroying our way of life by causing massive casualties.’
Lord West was brought into the government by Gordon Brown in June last year, following attempted terror attacks in London’s Haymarket and Glasgow Airport. He produced a report on how the UK should respond to the new threat, focusing on three areas: critical national infrastructure, transport and crowded places.
The former head of the Royal Navy concluded that although ‘quite a lot of good things have been done already’, there were a number of chinks in the country’s armour. One was cyber crime (see below). Another was airside security at airports – which hit headlines last month after the BBC discovered a gaping legal loophole allowing foreign workers with criminal records to amble freely around runways.
A further weakness was the protection of crowded places. ‘We now know from the people we’ve already put in prison that several terrorist plots had intentions to do things like attack the Bluewater shopping centre,’ Lord West says. ‘This is an area where we perhaps hadn’t pulled it together as well as we might do.’
So how should businesses respond to 21st-century terror? Talking to the Centre for the Protection of National Infrastructure, a government authority with close ties to MI5 and MI6, would be a good start. The CPNI works with major UK firms to ensure that they are both aware of and ready for new security risks. ‘We actually clear a number of security people inside companies to a certain level so they can get all sorts of classified information,’ Lord West says.
Another good port of call is the National Counter Terrorism Security Office (NaCTSO), a police unit with a country-wide network of security advisers specialising in helping businesses to prepare for terror-related risks.
A current NaCTSO priority is helping architects to create terrorist-resistant buildings. ‘We’re going to add a counter-terrorism module to architecture courses in this country,’ says Lord West. ‘Rather in the way we’ve done work to ‘design out’ crime from buildings, you can actually design out the really big risks from terrorism.’ This wouldn’t necessarily prevent a terrorist attack, but it would mitigate the impact of one when it happens. ‘Not a million miles from where I’m sitting in the Home Office, there’s a wonderful place to walk around in the sun with glass all over the place, where we’ve built in all the shrapnel to kill people,’ the minister adds.
A further step that companies can take to head off the terror threat is to choose their location wisely. ‘Your highest risk from direct terrorism attacks is collateral damage,’ says Jamie Burnell, a terrorism expert at Control Risks, a consultancy that helps firms to shore up their security. ‘Locating yourself near to a high-profile institution raises your risk much higher than your own company’s profile – which can be much less significant than many believe.’
Political developments can quickly turn a safe location into a dangerous one, Burnell adds. She gives the example of one Dutch company that was based near a foreign embassy in Indonesia. All seemed well until the end of 2005, when a Danish newspaper published cartoons that some Muslims felt insulted Mohammad – sparking violent protests in which more than 100 people died. Almost overnight, the Danish firm’s risk profile went from rock-bottom to sky-high.
Another unknown for corporate security bosses is the potential terrorism threat from their own staff – a problem compounded by employment law. One head of security for an international airline outlines a hypothetical situation: the firm has discovered that one of its pilots has potential links with an extremist group. But there’s not enough evidence to prosecute. So if the airline sacks the pilot, it will fall foul of unfair dismissal laws. But if it doesn’t sack the pilot, it is potentially putting its employees’ and customers’ lives at risk. What to do? Security services insiders admit there’s a problem here – ‘companies can find themselves stuck between a rock and a hard place,’ says one – but businesses have yet to hear any decent solutions.
The good news, says Burnell, is that the risk of being directly hit by a terrorist attack remains small for most firms – and it is getting smaller. ‘Terrorism casualties are going down year on year, but the visibility of those attacks is higher because they are more likely to do a big set-piece attack rather than a series of smaller ones.’ The bad news, adds her colleague Jonathan Wood, is that there are plenty of other dangers waiting to trip firms up. ‘There’s a tendency to focus on headline risks like terrorism and coup plotting, but it’s the more run-of-the-mill, everyday business risks that most companies will deal with,’ he says.
Industrial accidents
Terrorists’ bombs are not the only things that can blow up businesses. Oil depots can do this, too, as companies in Hemel Hempstead discovered to their cost at the end of 2005.
The Buncefield disaster was ‘a massive explosion of World War Two blockbuster proportions – the largest ever seen in peacetime Europe,’ says Taf Powell, head of an independent investigation into the incident set up by the government. And it took place next door to the largest industrial estate in the south-east of England.
Two thousand people were evacuated from their homes following the blast, while 25 businesses were seriously affected. Indeed, 16 firms were forced to relocate their operations, including more than 1,400 workers. The economic cost of the incident has already been calculated at over £1 billion, says Powell, and it may reach £2 billion. ‘If you think safety is expensive, try having an accident,’ he adds.
Why on earth were so many businesses sited next-door to an oil depot? And could such an event happen again?
Powell says that oil depots and other potentially hazardous industrial plants are often found alongside business centres because both rely on strong transport links, a local employee base and other location-specific resources. Moreover, developers have often been all too keen to encourage commercial development near such plants, he adds.
There are around 60 flammable storage sites of a similar scale to Buncefield in the UK – plus a further 60 smaller sites. Powell believes that the big lesson from the explosion is the need for greater dialogue between those running potentially dangerous sites and the companies that surround them. ‘I was the first official to meet the very distressed local business community following the incident. I met with very robust assertions that me and my kind – the regulatory community in Britain – had said that this site was safe. Well, actually, no, we hadn’t but you have to empathise with this view, because one of the things we do in the UK, and probably everywhere, is try to isolate communities and high-hazard sites from one another. I don’t think that site operators are held sufficiently to account by the communities in which they reside.’
He calls for local firms to get together to demand that hazardous site operators provide them with concrete proof that they are doing all they can to prevent an accident – and to take their own steps, in terms of business continuity planning, to prepare for the worst. ‘There’s no better questions that you can ask the managing director of a high-hazard facility than ‘how safe is your site?’ and ‘how do you know that?’ And there’s no better group to put these questions than the local business community.’
Cyber crime
As commerce migrates onto the web, so do criminals. This means that the virtual world can carry just as many business risks as the real world.
Around a quarter of UK firms had a serious information security breach last year, according to a new study by the Department for Business and PricewaterhouseCoopers. At very large companies, the worst individual breach this year will cost an average of £1m to £2m – a 30 per cent rise on 2006 figures. ‘The overall cost to UK plc is about $6bn a year – which is the equivalent of roughly two days’ holiday for everybody in the country,’ says PwC’s Chris Potter, who led the study.
Digital skullduggery is no longer just a matter of staff stealing databases and teenagers creating Windows-crashing viruses. It’s now the weapon of choice for organised crime.
One Russian identity theft outfit recently hacked into a series of corporate computers, then charged other criminals $1,000 for 30 days’ access, so they could help themselves to commercially sensitive data: a subscription service for thieves.
No-one, it seems, is safe. the Chief Executive of Arizona-based identity theft protection firm Lifelock, Todd Davis, recently had his identity and personal details stolen by hackers.
Some hackers’ party trick is trawling through the information stored inside computers to find juicy material to sell on to those who have a dark commercial use for it. Others make a fortune out of stealing personal data from social networking sites like Facebook and selling it to people who want to set up money-laundering bank accounts. One tech-savvy 19-year-old recently boasted on ha.ckers.org that he makes as much as $4,000 a day from selling stolen identities. ‘Hackers have realised that organised crime is very interested in paying them to use their skills,’ Potter says.
Lord West adds that the internet and other technological developments also put companies at greater risk from state-backed industrial espionage. ‘People are after their technology and skills,’ he says. ‘The US has a programme costing about $17 billion to resolve this. With the help of GCHQ, we have done things to make sure that we are not as vulnerable. But there are still vulnerabilities and that’s what we’ve got to do more work on.’
UK companies have also been sharpening up their digital security. Indeed, 98 per cent of firms now scan their systems for ‘spyware’, while 95 per cent guard against email viruses. These measures are working. ‘Since 2006, the overall cost to UK plc has dropped by about a third,’ says Potter.
But gaping holes remain. As many as 84 per cent of companies do not scan outgoing emails for confidential data, while 78 per cent of firms that have been victims of laptop theft did not encrypt their hard disks, leaving them open to be plundered. ‘Companies have become very good at very at fighting yesterday’s battle, which was all about viruses and backups. Where they are much less successful is in the protection of their customers’ confidential information,’ Potter says.
Extreme weather
Back in the physical world, climate change is leading to rising sea levels and wetter winters. And this means that UK companies face a greater risk than ever from flooding. On top of global warming, firms in the south-east of England face another grim fact: they are sitting on land that is sinking approximately 2 millimetres a year.
Malcolm Tarling at the Association of British Insurers is only too aware of the problem: last summer’s UK floods cost his organisation’s members an estimated £1.5 billion. ‘Weather risks are on the rise and will continue to rise,’ he says. ‘The scientific censuses points to the fact that freak weather is going to become the norm.’
Many businesses misunderstand the real commercial danger that flooding presents, Tarling adds. ‘Very often the biggest cost is not repairing the damage; it’s the business interruption cost while companies are unable to use their premises. Being out of a property for six months can be catastrophic for any business.’
Business interruption insurance is available, Tarling says, yet many firms don’t realise that this is a separate policy from flood, fire and theft cover. ‘And many businesses simply don’t have this.’
Planning alternative accommodation is another must for firms in areas at risk from flooding, as is backing up important computer data off-site – something that many firms damaged by last year’s floods failed to do, leading to disastrous losses of financial and customer records.
Last summer’s events also highlighted areas in which the government was unprepared for the potential impact of floods on the national infrastructure. ‘During the flooding, we discovered that there was one power sub-station that was actually critical. We should have had that factor very clearly available,’ says Lord West at the Home Office. ‘Now we are doing work to ensure that we know exactly where the crucial spots are across Britain. Obviously, this is fairly sensitive, because you don’t want this information to be available to those who want to do you harm or cause you problems.’
Meanwhile, businesses in the south-west have certainly learned lessons from last summer’s floods. The region now has the highest proportion of companies with disaster recovery plans in the UK – overtaking the previous leader, London.
Be prepared
An overview of the business risk landscape shows that the lesson learned in the flood-battered south-west is a valuable one for all regions and sectors.
A ’flu pandemic could wipe out a chunk of your workforce. The economic downturn could cause an irreplaceable supplier to go bankrupt. A faulty product could spark a customer backlash. Political turmoil could send an overseas operation into meltdown. All these risks, along with those discussed above, render business in this century at least as dangerous – and in some ways more dangerous – than at any other time in history. Yet the biggest risk attached to all these dangers, say crisis management experts, is to be caught unawares.
Alongside these headline-grabbing, fire-and-brimstone risks, businesses of all kinds face another ubiquitous danger: litigation. ‘The risk of any business being sued has probably never been greater,’ says Tarling at the ABI. ‘Sued in terms of an injury to an employee; an injury to a member of the public; the financial advice they give; or an injury resulting from a product they provide.’ On top of all this, companies can also find themselves on the wrong side of a myriad of other laws covering everything from age, sex and faith discrimination to smoking, maternity leave and unfair dismissal. ‘You can’t have a totally risk-free business,’ Tarling adds.
‘There is a worryingly large number of companies whose idea of an emergency plan is a fire drill, and they haven’t practiced that for years,’ says Matthew Sharpe, managing director of Media and Crisis Management, a UK consultancy. ‘Make sure you have an insurance policy, a risk management strategy and a business continuity plan – and review them regularly,’ adds Burnell at Control Risks.
‘Failing to plan is planning to fail, but you have to have a generic plan. Whatever the scenario you are planning for, the scenario you end up facing is absolutely guaranteed to be different,’ concludes Sharpe.
Scott Payton is a freelance business journalist and editor