| A review of UK and London resilience
Introduction The author has worked internationally in business continuity since 1989 and is one of the most experienced practitioners in the country. He has experience in almost every business sector and has implemented solutions that are tested and operational across the world. His experience and knowledge leaves him uniquely placed to comment on strategies being discussed. Current status The immediate concern was the obvious lack of integration by these bodies and the conflicts in their presentations. When questioned during the events it was quite clear that there was not a combined and co-ordinated structure to the work being done. However there were two greater concerns that became obvious in early 2003. Firstly that the work being completed was being done on best endeavours by the groups and was not calling upon recognised expertise or advice from external professionals. The author spoke to a number of the UK’s leading experts in business continuity and at this time none of them were being asked to work with these groups or to provide expertise. Our experience has shown that business continuity plans evolve and are rarely written completely in the first pass. Planning and planners require experience and most learn through their mistakes the best way to construct strategies and plans. This is not an intellectual process that can be learnt and studied it is only through continual exposure and repetition that plans will work. The various groups in 2003 were re-inventing the wheel, going through loops that had already been travelled and experiencing the mistakes, which could all have been avoided. Calling upon the right people would have ensured that the costs and times were significantly reduced and that protection that, twelve months later, is still not there, could have been put in place. Secondly, and more significantly, in early 2003 there was hardly any link to the commercial sector. This sector is the main area the groups mentioned above are trying to protect and ensure continues to operate, but they were not being called upon to provide information or to drive the projects. Many of these corporations have made massive investments in business continuity, for some this totals millions of pounds per annum, and have proven plans and strategies in place. These companies have years of experience and have implemented recovery plans to meet their needs that work and are expected to be used. These companies should have been the backbone, the framework and the drivers for London Resilience and other teams, but once again planning for the locations containing these corporations was being undertaken without their input. In early 2004 the author was asked to present to a large financial conference about where London Resilience and UK Resilience were at. At the same event London Resilience, the utilities, the Financial Services Authority and the emergency services all presented. In researching the presentation the author found very little understanding of the work completed, the role and the progress made by London Resilience. It was stated that from the commercial sector’s point of view there was little visible progress and very little understanding of what London Resilience did or what they would do after an incident. The FSA now has links to some key financial institutes for business continuity planning review and it also has links to other key institutes through the Tri partite and the Merlin groups. They also have links through the Cabinet Office to the Metropolitan Police but, when asked, the FSA could not present any link to the City of London Police where the majority of the financial institutions being overseen by the FSA are based. This is indicative of the lack of structure and control in the planning being carried out. The commercial sector has begun to lose faith in some of the sub-committees set up and a number are now very poorly attended as little progress has been seen. Following the author’s presentation a number of the commercial sector organisations asked to meet to discuss the information. In addition a further review meeting with the FSA was held to clarify some of these issues, this meeting further demonstrated the number of groups and sub groups and the lack of pragmatic information available to those planners who need it. The FSA have identified 50 key financial companies that would be key after a major incident. They have gone as far as assessing the recovery capability of these organisations but they will not give advice if weaknesses are found. A keynote however is that the Bank of England is excluded from this independent assessment. It is not clear, though, what happens to all the other organisations outside of this top 50, nor is it clear how they would be handled after an incident. What is needed is an agreed level of assessment, like that used in the build up to the millennium, which will allow companies to be reviewed against each other and against a central metric. In addition, all the other financial institutions not in the fifty selected would be able to see what levels they should try and achieve. These weaknesses create a flaw in the initial thinking and strategy planning for the whole sector. Once again co-ordinated planning is required by a skilled business continuity body that can offer advice and bring together the disparate areas. It is interesting to note that London Resilience, who heard the speech to the audience of about 60 financial organisations, made no effort to discuss the content. During 2003, many presentations were also made by members of the Cabinet Office’s business continuity section. Most of the points raised above about London Resilience also apply to these presentations. A recent large-scale test by the City of London police simulating a major incident in the City demonstrated the police force’s competence to manage such an event but also showed how this would be in conflict with the business continuity plans of many of the organisations within the City. These corporations’ plans are well tested and are aimed at restoring business within the shortest possible period of time. To ensure London and especially the City, is functional as quickly as is possible emergency services, government and private sector plans need to be complementary and supportive, not stand-alone as they are now. So what does this mean and what can
be done? As it stands today if a major event affected the City of London there would be different reactions and expectations by all key groups. This would lead to unnecessary confusion, delay, disappointment and potential catastrophe. This does not need to be the case. There is too much money being spent in too many areas that is not focussed and is not delivering results. The organisations that rely upon the information are not getting it and the plans they have in place are not being considered by the co-ordinating groups. This has led to a loss of faith in the strategies and plans being constructed and there are concerns that the money being spent is misguided and the timescales too long. The Civil Contingencies Bill once in place and being implemented will not help this situation significantly. The Bill will mainly be taken up by local authorities and linked groups, it will have little to no affect on the commercial market and does not show how links to commercial plans will be considered. The Bill will help emergency planning officers to understand their expanding remit but will do little to help businesses. The Manchester BT incident has shown how a simple fire can cripple a significant part of a major western city for a long period of time. This demonstrates that planning must go beyond London and that plans for utility recovery under emergency services control must link to key businesses and have plans in place to communicates and understand business requirements. So what can be done? Emergency plans for the protection of the public and the reaction to a major incident are expected by the public and are not business continuity plans. The nation expects the security services and emergency services to protect us. It is expected that risk reduction and security management will be in place and that the likelihood of a major incident is reduced by their skills. But business continuity accepts that an event will still occur. The United Kingdom has lived with terrorist events for the last 30 years, it has continued its work and raised its levels of security. Since the events of the 11th September in New York no major terrorist incident has happened in the mainland of the United Kingdom and yet the nation is now being encouraged to live in a state of fear. The last actual major terrorist event on the mainland was the Irish republican bomb at Hammersmith Bridge and yet the media and government continues to maintain the current terrorist threat is the most significant the country has faced in its history. The danger of the perception of the government continually “crying wolf” leading to complacency is real. Businesses and the public need more substantiated information to base their plans upon. The planning by the newly co-ordinated groups must be focussed on the recovery and continuity issues not the reaction and management of a national crisis. The next step must be to bring together the representatives of the key businesses and a review of their expectations and strategies undertaken to identify what the assumed recovery strategy of corporate London is at this time. This will identify where the investment is being made and what timescales the corporations are working too. With this information the coordinated Resilience Group can plan pragmatically to minimise the impact and to ensure that the London reaction and recovery will compliment and support those that need it. The regulatory bodies such as the FSA must work with their members to identify the status of planning and set agreed levels of competence that will help the smaller companies understand the levels of expectation at a national financial strategic level. However the key factors that planners in companies need are simplistic pragmatic items that can be included in plans. For example, where will the FSA be after an event, how will they be contacted, who will co-ordinate large-scale national financial decisions and how will this information be disseminated? The Corporation of London issues cards to companies in the City, which allow them to meet and glean information; the FSA should consider a similar process. In addition the thousands of other companies and the non-financial companies within the City and across London must be co-ordinated. There needs to be lists of companies, contacts, and locations that can be used to identify those impacted. The impact of an infrastructure loss or transport loss needs to be co-ordinated through the companies affected to identify ways this would affect operations. This is detailed information but this is what the co-ordinating groups must supply to the corporations to make the programme work. In Glasgow, due to the lack of a co-ordinated approach, the major corporations have organised themselves to bring in the emergency services and local authorities to build a city based strategy. This is what should be in place across London and all major cities. Consultants and external experts should be brought in to the Resilience Teams to ensure common mistakes are avoided and to make best use of the knowledge available. Diagrams of the links between groups should be created so that all bodies and corporations know and understand the links and routes of information. The sub groups should all be stopped until it is clear what the overall aim is and what the final deliverable will look like. The whole process is too slow and is perceived as ineffective. A co-ordinated approach is needed which clearly shows the route information takes to key areas, who is responsible for co-ordination and how this will be actioned in a real incident. Summary The UK has some of the world’s best business continuity planners, especially with regard to terrorist planning, and these skills need to be co-ordinated to produce protection across the UK in the shortest possible time. Author: Tim Armit, Clifton Risk Management, timarmit@cliftonrisk.com
•Date:
14th May 2004 •Region: UK •Type:
Article •Topic: BC
general |
