The hidden aftershock
It has long been treated as almost axiomatic that following any serious incident that threatens life the most critical time is the first hour – in fact this has been coined by many as the “the golden hour”. Certainly for physical disasters, failure to properly notify key people and communicate accurate messages to service providers not only loses time and money – it can cost lives as well.
Many would argue that this applies equally well to incidents that may not so obviously put lives at risk. In the event of a cyber attack, the volume of data and number of transactions that could be compromised in seconds probably means we should be talking about “the golden minute”.
If we look at some high profile incidents of the past year, excluding natural disasters, you could argue that these are terrorist related. The Gulf of Mexico Deepwater Horizon disaster caused loss of life, massive environmental destruction and enormous damage both financially and to reputation to the company involved. The failure of Toyota to respond adequately to product safety concerns, particularly in the US damaged the world’s largest car maker financially and probably blackened its reputation for many years. Very recently, the failure of the Sony Corporation to protect client sensitive data has proved enormously costly and embarrassing for a company that prides itself on quality, competence and high standards.
Paying the price
Such examples and many others that occur every day of the year demonstrate the high price that organisations face when things go wrong. Usually they go wrong through management failures or unfortunate circumstances, no-one is trying to make the systems and safeguards fail – they just inevitably do. Compare this with what could actually happen if there was deliberate intent to create mayhem or destruction. This could be to either physical facilities or virtual facilities through cyber attack.
Recently I was speaking to Chris Phillips, head of the National Counter Terrorism Security Office, and he expressed the view that if you can manage through a terrorist attack, you can probably deal with almost any other threat or hazard. I think he has a good point, although natural catastrophes such as the one witnessed in Japan set the bar much higher than the consequences of any feasible act of terror.
Managing information
One trend I think is of particular concern. The phrase “perception is the new reality” is often banded about with the implication that if only BP, Toyota, Sony, Rolls Royce, Amazon and others affected by serious incidents just managed the media better all would be well. Actually it wouldn’t; oil workers would still be dead, cars would still be unsafe, millions of people would still be at risk of identify fraud, aircraft engines would still need to be modified.
The reality is that when an incident occurs, immediate decisions have to be taken. These decisions often cannot wait but the person responsible for making them lacks the level of accurate information really needed to make them in an informed manner. In the panic and chaos following a successful (or even failed) terrorist attack, confusing and misleading information abounds.
Most serious physical incidents show lack of proper communication and a failure of those in control to gain access to accurate or useful information. This is partly because in the early stages it is difficult to find out definitive information about what has happened and why.
If we take an incident such as the London bombings, initial indications suggested there was a network failure caused by a power surge. It took considerable time before what had happened was understood and communicated to those who had the duty to respond.
Let us assume that in many situations it is not clear to people in the vicinity of an incident what the cause is. However, the instinct of most people is to respond directly to the outcome, not think about the cause.
During the Glasgow Airport terrorist attack, the initial indication of a problem was someone seeing some smoke and in accordance with procedure triggered the fire alarm. Normally this would lead to evacuation but in the case of this incident that would have been the worst possible course of action. Thousands of people might have been evacuated into an area where a massive car bomb might have exploded.
Evacuation would have been the worst possible decision in that particular case but how does an individual know that? The person designated as responsible for the Initial Incident Response does not have time to assess the situation, decide the best tactical response and communicate that decision to vast numbers of staff and customers. By the time that process is complete, thousands of individuals would have made their own personal decisions. Certainly after 9/11, many who survived were those who ignored corporate instructions to stay in the building and took decisions into their own hands.
Challenging assumptions
The trouble with many Business Continuity Plans is that they have in-build (although not always stated) assumptions about the level and type of disaster that might occur. Terrorist attacks challenge those assumptions because they create outcomes which are outside of the experience of those caught up in them. So how could this situation be improved?
Firstly, I believe in better quality executive thinking. The CEO of one leading retailer called his senior management team together and told them to come up with scenarios that were “our equivalent of Deepwater Horizon”. What could happen to a retailer that could cause such corporate shock; would it be a range of food that killed customers, would it be a corporate scandal, would it be a media exposure of child slavery by one of its suppliers – or would it be something that no-one had even considered before. Scenario planning and horizon scanning have roles to play in helping companies focus on their real exposures.
Secondly, recognise the need to provide clear, consistent and rapid information to those mobilized to deal with the aftermath of an attack. Manual call trees and cascade systems can work but are labour intensive and take people away from more important duties. The use of automated computerised telephony has become increasingly popular in supporting Incident Management Plans.
Tailored systems
In general, these systems consist of pre-programmed instruction sets so that against individual scenarios telephone numbers can be automatically dialled, customised messages given and responses monitored by use of the telephone keypad. Some products link a fairly simple auto-dial facility to a list of disaster recovery vendors – to speed up the acquisition of a locksmith, glazier or the like.
Others are much more sophisticated and can be tailored to provide call-out scenarios in a wide range of situations. Usually such products are a combination of hardware, software and telephone network services. Because they are so time critical, users will normally have dedicated equipment to support such products. The key things to look for in these systems are:
• speed of notification achieved
• confirmation and feedback of the message delivery service
• flexibility in type of technology supported
• ability to modify scenario and call-out lists easily
• ability to activate the call-out process remotely.
A fully hosted route is the most effective approach, with the end-user simply having to activate the service via a security code at the time of an incident.
Decision-making
The most information element of success is, however, to ensure that data is readily available and can be shared so that decisions can be made with necessary input from key stakeholders. Traditionally this has been a weakness of many plans in the sense that formal structures such as Gold, Silver and Bronze require a level of formality. This certainly improves ongoing management of an incident but slows up the immediate response.
Centralised Command Centres (or Emergency Operations Centres) require set up, commissioning and the capability of key players to actually get there. Physical battle boxes stored off-site are excellent for practical items like hard hats but are not ideal for things that can be stored digitally (maps, diagrams, plans, contracts, procedures). Recently there has been a move to virtual command centers and virtual battle boxes, which are now very feasible given the myriad of internet services available, including virtual meetings, chat rooms, video conferencing and social networking. There is also a range of expert software products designed to support this faster response approach.
Such products are designed to give full management control of all the information resources and communications needed immediately following an incident. They also allow virtual command centres to be set up, thus saving time and travel. In such products all essential data can be made available via secured internet access to all members of an Incident Management Team, public and private chat room facilities can be utilised, virtual battle boxes of charts, maps, contracts etc can be accessed and recovery status monitored and made available for later analysis and audit. These tools can be very powerful but they do require some re-thinking about the conventional views of how a crisis or incident should be managed.
Integrated software
The following features are essential if this type of software is to be fully integrated into an organisational incident management response plan:
• Plan invocation by multiple means of communication
• Immediate access to vital documents via a Virtual Battle Box feature to ensure decisions based upon same data
• Remote access to digitalised photographs, maps and video clips
• Team orientated secured Instant Messaging Channels
• Integrated e-mail and SMS messaging capability
• Company defined Incident Escalation with pre-programmed automated notification based upon trigger points
• Task Allocation and Monitoring with built in task libraries
• Real team information sharing and access to external news sources/feeds
• Dashboards and traffic light system monitoring of key systems and recovery progression.
However, as with all decisions about supporting tools, the justification should not be whether the software has every conceivable feature but rather whether it will fit with your culture, meet your business objectives and is provided by suppliers who understand how a crisis enfolds and has to be managed.
So in conclusion, getting a positive spin on your response is vital but it is far from all you have to do to deal with a major threat such as terrorism. In fact, if people are properly trained and exercised in crisis management techniques, with sophisticated response tools in place, the likelihood of finding the media against you is much reduced.
For more information
E-mail: bci@thebci.org
Web: www.thebci.org
Related Features
Partners
 |
 |
 |
 |
 |
 |
 |
 |
digital issue
