How can business prepare for a terrorist strike? And what can it do to help the police? James Hart, commissioner of the City of London Police, and Hamish Bryce, of the London Business Resilience Forum, answer readers’ questions in a live debate on August 17 at 1pm BST. Send questions now to email@example.com - answers will appear below. Hit refresh for the latest.
As the FT reported last week (London business ‘faces attack’ from terrorists), James Hart believes a terrorist attack on the City of London is only a matter of time. Mr Hart has called on big businesses to extend security to the small and medium-sized businesses that serve them. “What we encourage big businesses to do is put up an umbrella around these people if they are working in the shadow of big corporate HQs,” he said.
As chair of the London Business Resilience Group Hamish Bryce seeks ways to improve communication between government agencies, departments and business on resilience issues and risks. “Looking at the short term lessons from July 7 we find that we can no longer rely upon basic assumptions such as transport availability, staff morale, and the use of mobile phones. These and other essentials to ongoing business activity need to be questioned in the context of maintaining a truly resilient business, “ he says. Click here for Hamish Bryce on business preparing for terror attack.
What is the basis of your assertion that “only 50 percent of businesses had plans in place”. Is this just a general impression based on an informal assessment, or was a survey conducted? If there was a formal survey, what questions were asked? One of the difficulties I face when attempting to assess a company’s business continuity preparedness is to explain what is meant by ‘having a plan’. I would like to use the information to enable me to develop specific advice that I can give out to improving the situation.
BCM Business Development Manager
Marsh Risk Consulting - Business Continuity Management
James Hart: My comment was based upon information that is available in the public domain from a number of business interest groups. However, I recognise that the majority of large businesses within the City have comprehensive contingency plans in place. It is not an uncommon view that the City is one of the best prepared business areas for coping with any eventuality.
My concerns are for all businesses and I would actively encourage larger companies to work with small and medium-sized enterprises within their areas to ensure that every business is capable of managing any disruption, should it occur. Since I made the comments published in the FT last week, a number of businesses have been in contact with City of London Police to seek assistance in developing their contingency plans. My officers will work with the Corporation of London to support these companies in any way we can.
Hamish Bryce: I agree with you that there is some difficulty in explaining exactly what ‘having a plan’ means. The situation is further complicated by the diverse nature of business and the fact that different sectors have different requirements.
The majority of large companies do have continuity plans in place though these are not always adequately updated or tested. A large proportion of small and medium-sized companies - and remember 95% of UK businesses have less than 10 employees - don’t have business continuity plans in the conventional sense. They have to juggle limited resources as well as balance day-to-day business requirements and business continuity is not always the priority it should be.
The key is practical advice delivered in a practical manner. I particularly like the London Prepared website (www.londonprepared.gov.uk) where you can find a ten minute checklist under the business continuity section, as well as the booklet ‘Expecting the Unexpected’ published by London First and the Police. Both are very helpful resources that offer simple advice to start the process of making your business more resilient.
I would like to ask what preventative information is being passed to business. What can individual businesses be doing to reduce the possibility of an attack getting through, and what intelligence information will be passed to businesses to ensure they are aware of specific threats at any particular time? Will high risk warnings be notified to main business centres and if so, how will this be transmitted?
Alliance Insurance Management Ltd
James Hart: Police would recommend that all businesses become as familiar with their environment as possible: monitor vehicles being parked in the vicinity of buildings. Undertake regular external patrols to ensure there are no suspicious bags or items left in the vicinity of the building.
Businesses should ensure that they have adequate access controls. Make sure that you know who is entering your building and check that they have a legitimate reason for doing so.
Consider reducing the number of entrances so that all visitors can be monitored. Make sure CCTV is recording properly. Do not rely on the images being viewed on monitors. Check the tapes for quality. Finally, report all suspicious activity to police as soon as possible.
Hamish Bryce: Government, through the various agencies and police forces, has always briefed business on the nature of the threat and advised on what steps businesses can take to minimise the outcomes of any disruptive incident.
A booklet, produced by London First and the Association of Chief Police Officers, entitled ‘Secure in the Knowledge’ has just been distributed and is available from the websites listed above. In fact, over 30,000 copies of the pdf file have been downloaded from the London prepared website alone in the last four weeks.
Government recognises the need to be more specific with its information and are committed to providing further co-ordinated information and advice as well as more effective major event information. Much progress has been made in the these three areas over the last 18 months.
The aim is clear - to provide a more transparent and better accepted understanding of the threats so that business can plan more effectively and put in place more appropriate continuity plans.
How can companies that provide business continuity and/or security and risk management advice become more closely involved in creating policies and work with central government, local authorities and the emergency services to ensure that businesses, particularly SME’s, can take steps to minimise disruption?
Hamish Bryce: Government bodies and the related agencies already have close contacts with the business community and with the security and risk management industry. This has led to the formation of the Business Resilience Group and has led to extensive consultation between Government and business regarding the Civil Contingencies Act.
The Civil Contingencies Act makes it a statutory obligation for Local Authorities to provide business continuity advice to businesses within their area. The Local Authorities are now working hard to take on this new obligation putting in the appropriate skills and by introducing appropriate business continuity plans for their own operations.
This is a very positive move and coupled with the expected introduction of a new British Standard directly related to Business Continuity in late 2006 early 2007. This standard, and the knock on effects of the Operating and Financial Review and Turnbull in respect of large companies making appropriate plans to mitigate against the impact of external events, will create the climate to encourage SMEs to put in place more appropriate, updated and rehearsed business continuity plans.
As early warning intelligence of a pending terrorist attack is a critical requirement, is there any means in place to provide warnings to the business community in a timely manner? I would extend this to include businesses operating overseas in high-threat areas of the world.
James Hart: City of London Police has a tried and tested system whereby the force regularly communicates security information to the community, via pager and email alerts to minimise disruption to the business community. This is a successful system, which has been operating since the 1990s. Through this method we are able to communicate with over 6,000 businesses within the City of London and beyond. This proved a valuable communication link to the community during the incidents of the 7th and 21st July and beyond. Many businesses have commented on how useful they found this service. Similar schemes are now in operation in other cities based upon the City Police model.
Many of the businesses that participate in this communication system are multi-national and will disseminate relevant information to their offices around the globe.
Businesses in the City of London that are not already subscribers to these facilities can register with the City Police via the following e-mail address: firstname.lastname@example.org.
Further information on pager alert can be obtained via www.vvdm.co.uk
How concerned are you about the gradual shift and eventual concentration of business to Docklands - coupled with the relative lack of transport options away from the area compared to say the City where most mainline stations are within walking distance?
Hamish Bryce: Much work has been done on the evacuation of the Isle of Dogs and Docklands. There are good transport links based on roads, rail and the river. The detailed plans are sensitive and therefore restricted to those who would need to implement any evacuation or partial evacuation. Clearly for London to maintain its world class standing all parts must keep the reputation as a secure and safe location for international business. London continues to be cited as a relatively low-risk option for business to invest in.
1. Do you think it is a good idea to have protective zones within a building?
2. Who is the actual supremo, i.e. the person who actually coordinates the CBRN activities in the UK?
3. Is there any danger of retrospective litigation taken by the staff affected by Toxic attack?
James Hart: 1. Any contingency plan designed to respond to a threat to a building should include safe areas for staff. One of these should be within the building in an area that has been assessed as capable of resisting blast damage. A number of external rendezvous points should be identified to ensure that if staff need to be evacuated they do not have to pass through possible danger areas. It is also important that there is some simple and easily recognised warning that will signal where staff should evacuate to.
In identifying external rendezvous points, you should work with your neighbouring businesses to make sure that the prospective sites do not become dangerously overcrowded. As with any contingency plan, external or internal evacuation procedures should be regularly tested and reviewed.
2. Any response to a CBRN incident would inevitably require a multi-agency approach. Therefore, the police, the fire service and the ambulance service work at the highest levels to ensure that their contingency plans are co-ordinated and complementary. This is also reflected in central government, where the Home Office, the Office of the Deputy Prime Minister and the Dept of Health would be the lead departments.
Should a CBRN incident occur, the emergency services’ response would be co-ordinated by the police. The fire brigade would have responsibility for immediate rescue, the ambulance service would treat the injured and the police would be responsible for controlling the area. A group known as the Strategic Co-Ordination Group, involving senior members of all the agencies involved would manage the incident. They would be overseen by a central government committee, chaired by a senior member of the government.
3. Under the Health and Safety at Work Act, employers have a duty of care for their staff. Employers must be able to show that they have taken all reasonable steps to ensure the safety of their staff whilst in the workplace.
Hamish Bryce: Protective zones within a building can be useful particularly when a premises needs to be searched. Ensuring searched areas remain sterile is an important factor in an effective and quick search. The occupier is responsible at all times for their premises and the key part of any business continuity plan is how a company manages its premises and residence therein at the time of an incident. Regarding staff specifically, businesses do have a duty of care towards their staff whist at work.
To your second question, in parliamentary terms, the Home Secretary is responsible for the protection and security of the United Kingdom. He is assisted by other Secretaries of State as appropriate (for instance Department for Transport obviously leads on protection and security of the transport infrastructure). The work is co-ordinated by a Cabinet Committee chaired by the Home Secretary which draws together the agencies, departments and organisations that would be involved in handling any CBRN incident.
To your final question, businesses do have a duty of care towards their staff while at work. The occupier is responsible at all times for their premises and they key part of any business continuity plan is how a company manages its premises and those resident therein during an incident. Government advice is ‘Go in, Stay in, Tune in’ and only evacuate a building if told to do so by the facilities or security manager or the emergency services.
Many of my members have in place ways and means of dealing with unforeseen problems such as power cuts and loss of computer equipment. Why has it become so important that we extend these business continuity plans beyond this. There is a cost and time implication which many small businesses may not be able to cope with. Also, what other areas should they be looking at?
Oxford Street Director
New West End Company
Hamish Bryce: The simple answer is that good business continuity planning is not something that you do and place on a shelf. It is a constant process of risk assessment and mitigation that includes both threats and hazards. Effective plans rely on generic responses that are scalable and flexible to handle the outcomes of unexpected or disruptive events. No matter what the size of business the process must be evolutionary not static.
The cost of effective business continuity is surely nothing compared to the loss of your business. The environment in which business operates today has changed out of all recognition from just ten years ago and there is an increased probability of disruption as a result of increased dependence on technology and the new scale of terrorist threat. In addition, over the years to come climate change may also pose a substantial challenge to many businesses.
The new environment in the UK reflects dramatic changes worldwide: rapid economic and business integration driven by new technologies, more efficient use of lean infrastructure and supply chains and yesterday’s high-end products now available to all at affordable prices. All these changes make it ever more important that businesses fulfil their duty of care to employees, customers and shareholders. Having appropriate business continuity plans in place, building on the previous plans but adding vital new dimensions, doesn’t have to be expensive, “putting all your eggs in one basket” by being overly-dependent on a single supplier or process certainly can be.
Given that the threat in London appears to be of a more wide-scale nature than may have been previously the case i.e. multiple simultaneous bombs and the possibility of ‘dirty bombs’, is there a recommended distance, or strategy, for locating alternative premises/disaster recovery facilities?
James Hart: Alternative premises/disaster recovery facilities should be close enough that they can be activated with the minimum disruption to day to day business. However, I would recommend that this should be at least one mile away from the current area of operation. In selecting a location, you may wish to consider access to and travel arrangements for staff. Once you have identified a location, the facilities within it should be regularly tested and ready for immediate use.
As well as business doing its utmost to protect employees and establish contingency arrangements, what more can be done by the authorities to ensure that the probability of an event occurring is minimised? Could there be closer cooperation between commuters and the police/secret services?
Majedie Investments PLC
James Hart: The police already work very closely with the security services to provide as safe and secure an environment for commuters as possible. If you have travelled into London over the last few weeks you will, no doubt, have noticed the increased police presence around all public transport services. Throughout all this we have been very impressed with the support we have received, the vigilance shown by commuters and their patience in accepting the inevitable disruption they have experienced.
We continue to encourage commuters to report anything they consider to be suspicious to police immediately. This can be done in one of two ways: by calling 999 if it is something which requires an immediate police response or by contacting the anti-terrorist hotline on 0800 789321. You can also contact the hotline if you have any information relating to terrorism.
Over these forthcoming months the most important thing for commuters is to remain vigilant but to continue to go about their daily business as normal. We would like everyone to remain alert to the threat but not be alarmed by it, after all, it is communities which defeat terrorism.
There has been lots of publicity on terrorism in the City but, of course, this is not the only type of unforeseen risk that businesses face. For example a major flu pandemic has been predicted to hit the UK within the next few years and modelling indicates that this could have far worse and longer term consequences for business than terrorist attacks, not just in the City of London but Nationwide. Do you have any comment on other forms of disruption beyond terrorism, considering other sectors, which are just as important to the economy as the City?
Hamish Bryce: For obvious reasons in recent weeks much of the focus has been on the city, the UK economy and the adverse impact on business of terrorism. However, it is clear that the disruption caused by any incident - whether terrorism, accidental or a natural disaster - can have similar affects on the economy and confidence in the city. As such it is clear we need a more sophisticated understanding of the pinch-points in the system as well as their inter-dependencies.
The approach should be to look at sectors as a whole, examining the critical roles of the component parts and decide how best individual companies can prepare their continuity plans. Ensuring that each building block has business continuity plans in place will contribute to a more resilient sector overall.
The challenges facing the oil distribution industry during the fuel protests during the Autumn 2000 clearly illustrate the potential problems for the nation as a whole. You quite rightly refer to the risks associated with the flu pandemic. It could be that the NHS is overly dependent on a relatively few suppliers of critical services and products which would become problematic during an extended flu pandemic.
All this reminds us that good business continuity planning, while perhaps initially driven by terrorism, nevertheless needs to address a range of threats and hazards. One must remember that businesses are more frequently struck by loss of IT and telecommunications, and disruption such as fire, flood or industrial action than terrorism.
In the wake of the terrorist outrages on London, the crucial role of CCTV and more specifically forensic surveillance, has been highlighted as one of the single most important ways that business’ can assist the police in their investigations. Given that the vast majority of existing privately operated Closed Circuit Television cameras are not adequately profiled or configured for this vital role, what advice would the experts care to offer to existing CCTV system operators?
James Hart: The City of London Police have mapped all the public areas covered by privately-owned CCTV. This allows us to approach specific companies for specific events and has been formalised into a partnership between the police and private companies.
We’d be happy to provide you with more information on this if you would like.
My advice to businesses would be to review what you are actually recording. Can you identify people from your images? Do your cameras cover vulnerable areas of your building? Could you get a better view of your building by using the cameras of one of your neighbours and would they benefit from a similar arrangement?
An audit trail covering the management of the recording medium should be put in place. This should cover who commenced the recording, the period the recording covers and who removed the recording from the machine. The recording should be stored in a way that would identify whether the tape has been tampered with since it was removed.
CCTV is only useful if it can clearly show what activity is or has taken place and if it provides some opportunity to identify suspects. Your local crime prevention officer should be able to advise you on how to optimise CCTV coverage of your building.
Demand for business security advice soars
By Roger Blitz
The London bombings last month have prompted a surge of inquiries from businesses about security and how to remain trading in the event of a terrorist attack.
Requests for information and advice have soared 75 per cent since August 1 at Continuity Forum, a leading independent agency offering guidance on contingency planning in the UK.
The City of London Police have also reported an unusual amount of interest since comments last week by James Hart, the commissioner, that an attack on the UK financial district was inevitable.
Charles Clarke, home secretary, returned to work on Monday, saying after a meeting with Sir Ian Blair, Metropolitan Police commissioner, that it would be “absolutely foolish” to assume there would not be a third terrorist attack on the capital.
The surge in business continuity inquiries comes as retailers on Monday reported a fall of 9 per cent in sales in central London during July against the same month a year ago. The British Retail Consortium described the decline in retail sales as “very serious”.
Russell Price of Continuity Forum said it had received about 500 inquiries since August 1, including just over 30 per cent from London and 14 per cent from Paris. In a survey of business responses to the July 7 attacks, the Business Continuity Institute said as well as problems over mobile phone access, the attacks revealed difficulties businesses had in accounting for employees and directing them to safety.
Mr Price said a lot of the inquiries were coming from medium-sized businesses that until now had been struggling to understand the concept of business continuity, while smaller firms were hamstrung by the costs involved.
Chief Superintendent Alex Robertson of the City of London Police said: “Everybody does appreciate that the City of London is a target and has been a target for a considerable amount of time, just because of the nature of work we do here. “The vast majority appreciate it and we have to do everything we can to make sure we don’t become that target.”The City police want big businesses to incorporate smaller firms in their security and their warning systems.Rachel Goodison of London First, the business lobby group, said the surge in business continuity inquiries was unsurprising. “That is the main aspect of wake up calls like Mr Hart’s.”
The Metropolitan Police said the commissioner would have fully briefed the home secretary on progress on the investigations into the July 7 and July 21 attacks.
Having charged three people with the July 21 attacks and with a fourth being held in custody in Italy, they are now likely to focus more attention on the July 7 bombings.
They added they intended to maintain high visibility policing to provide reassurance to the public and as a continued deterrent.