Since September 11 2001, businesses in Britain, and, in particular, in London, have received abundant advice on how to cope with terrorist incidents. On Thursday, at about 9am after nearly four years of warnings, preparations, run-throughs and exercises their plans were finally put to the test.
Shocking though the attacks on London's transport system were, these were the kinds of incidents for which companies' business continuity managers and security staff had been rehearsing for nearly four years.
“The nature of these attacks and the way that they were carried out and the targets they were aimed against came as no surprise to those people involved in resilience and business continuity planning,” said Jonathan Gray, head of crisis and security management for Europe, Middle East and Africa at Control Risks, the consultancy.
Businesses were hit harder by the consequences of the near-complete shutdown of London's mass transit systems at the end of the morning rush-hour than by the direct impact of the explosions.
Only a few big companies including UBS, the Swiss bank, and Cable & Wireless, the telecommunications group evacuated offices. But business at many companies was disrupted by employees' inability to get into work. Most key staff at financial institutions in the City of London arrive early and were at their desks before the attacks but they, and many others, faced a difficult commute home.
BNP Paribas, the French bank, and Barclays, the UK financial group, were among those companies hiring fleets of buses to help workers get out of the city at the end of the working day. BNP and others also activated emergency block-bookings of hotel rooms for those staff unable to make it home. Tom Rose at Herbert Smith, the law firm, said: “The most pressing issue is about getting transport for staff and reassuring clients about access to lawyers.”
Reaction to Thursday’s attacks reflected in part the 30-year experience of London-based businesses in preparing for and coping with the consequences of Irish Republican terrorism in the capital. But it was also the first real trial of systems that companies have substantially reinforced since September 11 2001 and the Madrid train bombings in March 2004.
Research produced in March by the Business Continuity Institute (BCI), a UK-based organisation, indicated that nearly 70 per cent of all companies and 80 per cent of those in the financial and retail sectors already had plans to cope with disruption. Terrorism or war was the biggest threat that companies identified in the year to come.
A separate survey by Mori, commissioned by the CBI, the British employers' association, and published last November, suggested that companies had spent an average of £1m on security in the preceding year. Four-fifths of the companies polled said they spent more on security than they had done five years earlier.
Andy Tomkinson, a business continuity consultant and BCI director, said one mark of the preparedness of British business was that companies had not activated their emergency plans. He gave the example of clients such as a retailer in Oxford Street (the heart of London's shopping district), a bank in the City and a charity, that did not invoke their plans “because they had a strong feeling that they knew what to do if they needed to escalate [their reaction]”.
As recently as five years ago, Mr Tomkinson said, companies would not even have known where their responsibility ended and that of the emergency services began. Information disseminated by the London and national authorities, and exercises conducted by them, have helped to clarify the roles of the public and private sector, eliminate duplication and fill in gaps in emergency cover.
According to Control Risks, companies in London and beyond must now be prepared for a period of further disruption, paranoia among staff, false alarms, crank calls and, in the worse case, further incidents.
Companies would be ill-advised to overhaul their emergency plans under such circumstances, said Justin King, managing director of C2i International, a risk management group, unless the attacks had made them aware of flaws that might be exposed by future incidents. After reviewing their response, Mr King said, “the smart security and business continuity managers will now sit back and say ‘Is this scalable? If it isn't, we have to review it'.”
According to the CBI's survey last year, between a fifth and a quarter of UK companies were still worried that their business continuity plans had not yet been tested or that they might be “somehow inadequate”. Thursdays attacks will have shown many companies whether those concerns were justified.
Additional reporting by Jonathan Moules and Paul J Davies