| Business continuity lessons from July 7th Many of the facts have now been confirmed about what actually happened on July 7th. Three explosions occurred on the London Underground at around 8.50am, all within 50 seconds of each other. A fourth explosion happened on a bus at Tavistock Place at around 9.47am. 54 people were killed in the attacks and several hundred were injured. At least one of the attacks has been confirmed as a suicide attack and it is highly probable that all four were, making this the first such attack in Western Europe. There are undoubtedly many lessons that the police and other emergency services will be gathering from the incident. These are outside the scope of this article, which will concentrate solely on lessons related to the business continuity profession. However, it must be said, that the sheer bravery and professionalism of the first responders has rightly been commented on by many, many, people - from those caught up in the incidents to world leaders. The business continuity lessons discussed in this article can be broken into the following main areas: TELECOMS What lessons can be learned from the above? Some comments received by Continuity Central on this issue include: “Every continuity plan has communication at its heart during the invocation stage. Over reliance on mobile ‘phones and a question as to what you then do if landlines are unavailable will need real consideration. This is one for the Tier One communication providers and has been an ongoing debate in the industry for the last year,” said Mike Osborne, ICM’s business continuity operations director. John Goodeve-Docker of Speech Solutions, stated: “In a time of crisis, whatever the reason, it is human nature to revert to communicating by a familiar and trusted method - the telephone. Yet the vast majority of companies with a business continuity plan, let alone those without one, tend not to include their telephone systems within their plans. The reasons are generally twofold. Firstly a great many companies regard their switchboard and telephones as a part of the premise’s facilities and do not attach the same priority to them as they do data and IT. Secondly, those that are aware of the need to include the telephone, tend to rule them out of initial continuity plans because of complexity and cost. This is based on the fact that most companies do not have alternative telephone systems available and also have Direct Dialled numbers (DDIs) and to transfer these to alternative locations can be difficult to achieve. However there are simple, quick to activate, effective and commercially justifiable answers to these issues.” A report published after September 11th 2001 by the McKinsey Consultancy Group highlighted various telecoms continuity issues and what companies could put in place to prevent such issues. The experiences in London seem to show that these lessons have still to be learned by many companies. The McKinsey report found that firms were "overly vulnerable to 'choke points' - telephone switches and other hubs through which key information flows". The report recommended that businesses should develop "an alternative communications system for emergencies" and even went as far as suggesting that "the financial services industry should consider developing a secure network for use in emergency situations that does not rely on the main telecommunications network or on the mobility of participants". One telecoms continuity success on July 7th was the emergency services’ ‘Airwave’ system. This uses the highly resilient TETRA, Terrestrial Trunked Radio, system, providing voice, SMS and data transmission services. This means that first responders can talk to each other, make phone calls and potentially tap in to information from local, regional and national police databases - all from a single device. The system, which is also encrypted, is being deployed across the UK at a cost of almost £3bn, in partnership with mobile network O2. "We've had Airwave for quite some time - and we think it's one of the best pieces of kit we've ever had," Andy Trotter, deputy chief constable, British Transport Police told the Guardian newspaper. "Airwave vehicles were sent out to Russell Square and Kings Cross, and they dropped so-called 'leaky feeders' down into the tunnel so that Airwave could be used underground. Searchers said it was a massive help to be able to talk to each other." Given the resiliency of Airwave and the availability of a national network, it would seem to make sense to provide access to the network for business continuity teams within an affected area. This may take some hard bargaining and a high level of accreditation before business continuity managers are given access but it could provide a vital link to allow emergency services to keep business continuity managers up-to-speed with urgent developments, such as evacuation instructions, and would also enable business continuity teams to remain in contact which each other throughout an incident. CRISIS COMMUNICATIONS TERRORISM PROTECTION The only effective protection against a suicide bomber is to keep them well away from your premises; certainly no one who could possibly be deemed a threat must be allowed within the building. This will mean implementing and maintaining an effective access control system, ensuring that visitors, delivery people, or anyone unknown to the organisation are kept outside the building until positively identified. Do not allow unidentified people to approach an internal reception desk. In a public building security staff should be located outside entrances, as far as is feasible in an area which is isolated from either public streets and from the premises itself. The Department of Homeland Security has issued the following advice for effective building security: * Rearrange exterior vehicle barriers, traffic cones, and road blocks to alter traffic patterns near facilities and cover by alert security forces. * Institute/increase vehicle, foot and roving security patrols varying in size, timing and routes. * Implement random security guard shift changes. * Increase perimeter lighting. * Deploy visible security cameras and motion sensors. * Remove vegetation in and around perimeters, maintain regularly. * Conduct vulnerability studies focusing on physical security, structural engineering, infrastructure engineering, power, water, and air infiltration, if feasible. * Install locking devices on manhole covers in and around facilities. HUMAN RESOURCE ISSUES "What do you do with potentially thousands of members of staff when a city centre transport network is locked down?” asks ICM’s Mike Osborne. “What are your obligations as an employer? There can be only two choices, either have a contingency plan that involves bringing private transport solutions (if allowed access) to a pre-agreed location and/or arranging hotels, or you have a contingency arrangement that puts alternative workplace centres outside of city centres. The London bombings closed the transport network essentially for one day – and as we were approaching the weekend many organisations allowed staff the day off or asked them to work from home. Had there been any hint of chemical or biological attacks, we could have seen this period extended to weeks or beyond. This would have had completely different connotations on staff logistics which had been solved by the points made above.” One of the clearest lessons of July 7th was that business continuity plans which focus on information technology and ignore other mission critical areas, especially that of human resources, are fatally flawed. They may be effective IT disaster recovery plans, but they are certainly not business continuity plans. Earlier this week the Info-Tech Research Group highlighted this lesson: "The recent London terrorist attack is prompting companies to look at their contingency plans," said Ross Armstrong, senior research analyst at Info-Tech. "Most planners think about IT downtime or loss of power but don't consider situations in which the technology is working but their employees can't reach the office. "In the case of last week's bombings, many employees were not able to get to work because the transportation system was shut down. The ability of business to continue in circumstances like these is a direct result of how well communication and information technology services are extended to the home for remote operations and teleworking." Info-Tech recommends that enterprises review their business continuity plans to incorporate key elements such as: - Ensure the plan specifically identifies ‘key employees’ that need to have system access, and define how they will have remote access to critical systems in the event they cannot reach the workplace. This could include enabling home computers for corporate access or issuing laptops. - Set up a Virtual Private Network for PC access as well as remote teleconferencing and the ability to call forward business phones to home numbers. - Make it a policy that laptop users take their PCs home nightly, even if they don't intend to do work at home that evening. - Enable network administrators and system operators to do as much remote management as possible. In addition to line workers, IT operational staff needs remote system access to ensure business continuity. One easy measure which can be taken to assist companies tracking down injured staff has been widely discussed since the attacks. This is the idea of simply typing emergency contacts into mobile phones, prefixing the contact’s name with the acronym ICE (for ‘In Case of Emergency’) Business continuity managers may wish to consider encouraging staff to enter an organisational contact number as an ICE number within their mobile phones. ISSUES SPECIFIC TO UNDERGROUND INFRASTRUCTURES Thomas O'Rourke, the Thomas R. Briggs Professor of Engineering at Cornell conducted research following 9/11, where he found that communications in New York City were widely disrupted, largely because of damage to the underground infrastructure near the collapsed towers. Broken water mains poured 35,000 gallons of water per minute into a seven-story underground space, filling it "like a big bathtub" and flooding transportation tunnels all the way to New Jersey. Falling debris smashed into a vault next to the Verizon building just north of the Twin Towers, cutting cables. "We have been building for ourselves a more and more complex world and packed our systems below street level with more and more different components often with little planning or integration," states O'Rourke. "These systems have accidents without terrorists. We'd like to make them work better under normal circumstances. Irrespective of terrorism, there's a lot to be gained." “One problem,” O'Rourke says, “is that different utilities are often in close proximity. You can have a major telecommunications line next to a water main next to a high-voltage electric cable," he said. “The problem is aggravated by the fact that utility companies often don't talk to each another, so workers are not able to locate these dangerous proximities." “We can make them strong where they cross," he said. "Somebody has to know where they are, but organisations are reluctant to disclose this information." INVOCATION ISSUES “This raises the issue of what happens if organisations have invoked because of perceived threat and by doing so potentially impact the recovery ability of an organisation which has actually been affected. This particularly applies to syndicated services that have high subscription ratios, or operate an equitable sharing scheme which may see available space divided amongst the standby and actual invocations.” “The rights of clients in terms of standby vs invocation or the ability to invoke based on perceived rather than actual incidents are issues the industry as a whole and recovery centre providers particularly, need to be clear on.”
•Date: 15th July 2005 •Region: UK •Type:
Article •Topic: Terrorism / BC general |
