Preparing for Terror: A RM How-To

 

By Diana Reitz

From the April 7, 2003, issue of National Underwriter—Property and Casualty edition

I grew up during the cold war—a time when duck and cover was practiced in classrooms, when children feared the sound of an overhead plane as the first strike of an “invasion,” when people were encouraged to build and provision civil defense shelters in their homes.

 

So déjà vu sets in when I hear officials from the Department of Homeland Security talk about citizen preparedness and disaster supply kits. I think it's unfortunate that the general media has zeroed in on inane details and summed up the discussion in four words: duct tape and plastic.

 

But there's a lot more to it than duct tape and plastic, and it's critical for businesses to recognize that.

 

Dismissing the potential threat because it's a foregone conclusion that we'll all be wiped out by the next one or, conversely, that it can't happen to me so why bother, is akin to hoping the bill collector will just go away if we ignore him.

 

Most disaster preparedness specialists I've talked with think 1) the threat of a direct terrorist attack on an individual or business is remote and 2) if there is one, the attack very likely could impact a community for a limited period of time. These two thoughts provide a good framework upon which businesses can develop reasonable response and recovery plans.

 

The primary goal, of course, is the same as that for fires, tornadoes, earthquakes, and other perils: protecting the life and health of employees and others who might be on the premises. Secondary goals are to protect property and revenue streams as much as possible.

 

According to the authors of Business at Risk: How to Assess, Mitigate, and Respond to Terrorist Threats (National Underwriter Co. 2002), businesses should begin by assessing how three components of the terrorism risk might affect their operations: the probability of a terrorist action impacting their business; the physical vulnerabilities of their premises, systems, and connections to other businesses; and the financial impact of an attack on their business continuity.

 

When assessing the probability that a terrorist attack could affect their business, business owners and managers should consider the primary terrorist threats: nuclear, biological, chemical, incendiary, explosive, and cyber.

 

They should realize that the damage caused by blowing up a tanker truck laden with chemicals or flammable liquids along a nearby highway (a chemical, incendiary, and/or explosive threat) could be just as devastating to an individual business—and undoubtedly more probable—than the release of biological or nuclear weapons.

 

Granted, there are numerous hazardous material leaks that are not related to terrorism each year. The probability increases, however, when the terrorist threat is added to the equation.

 

Another often overlooked but realistic terrorist threat is that of a cyber attack. Hackers who have gotten into the game just for kicks or pure financial gain already have stolen thousands of credit card numbers and held various e-businesses hostage over personal client data. Add the possibility of terrorist motives, and the mix gets decidedly more lethal.

 

Yet companies still may refuse to acknowledge the possibility that their computer systems may be vulnerable to terrorist attacks. As noted by many cyber insurance and risk management experts, too many businesses still are failing to invest in disaster recovery and business continuity plans for their e-business activities.

 

The second step of the assessment phase—a vulnerability assessment—identifies the weaknesses in the physical security of not only individual buildings, but also their computer and utility systems. Human factors—how people might be exposed and how they might respond in an emergency—should be emphasized.

 

Included in a vulnerability assessment should be surveys of the property, interviews with building managers and security personnel, reviews of emergency procedures that already are in place, and evaluations of life-safety systems.

 

Three of the most critical areas that may be vulnerable are the emergency notification system for occupants, the actual means of egress from a building, and the emergency procedures that direct occupants to either evacuate or shelter in place until a threat passes.

 

Potential gaps in any of these provisions need to be addressed not only on paper, but also with all managers and employees who need to be aware of and trained in their implementation and use.

 

For example, what is the procedure for people entering and leaving the building? Is there a system to record everyone who enters and when they leave? Is the system enforced? If it's an electronic system, would the information be available in the event of a power outage?

Are visitors accompanied during their stay? If the building were evacuated, would someone be prepared to account for the exit of all visitors and normal occupants? What about those with hidden—or even visible—physical disabilities? Are they provided for in the plan?

 

In addition, are facility managers prepared to decide whether building occupants should be evacuated and when they should remain within a building? Have plans been drawn up to shelter occupants in the safest location of the building during a terrorist activity? Do they understand that, in the event of a chemical or biological threat, people need to go to an upper floor instead of following the normal human response to move down and out of a building?

 

Another consideration in the vulnerability assessment is the likely availability of public emergency response teams at the time of a disaster. If transportation is affected, or if the attack is widespread, businesses may have to rely on their own resources—at least in the short term. Consider, for example, the drain on public resources that occurred during the anthrax scares of the immediate post-9/11 period.

 

The third phase is determining the potential impact of a terrorist act on business continuity. What will an attack cost the business?

 

This logically is an extension of the traditional business continuity assessment. However, the results of the threat and vulnerability assessments could cause an individual business to reconsider the type or length of potential business interruptions.

 

Business data must be collected and analyzed when conducting a business impact analysis. Interviews, questionnaires, and surveys may be used to develop a comprehensive analysis of the potential business impact.

 

Included should be an analysis of the potential loss of critical personnel and experience if trained employees are either lost or unable to work; the impact of the loss of buildings and equipment, including suppliers that may not be able to provided needed materials or parts; the possible loss of public infrastructure, such as roads and bridges, and that impact on the business; and the interdependencies that today are so much a part of business.

 

Interdependencies include areas such as electronic networks, supply side vendors, and distribution links in the business chain. A failure of any of these could seriously impact business continuity and, ultimately, survival from an attack.

 

Countless lives were undoubtedly saved on 9/11 because security measures were taken to revamp the evacuation plans for the World Trade Center complex after the initial 1993 bombing of the World Trade Center. A warning was received and people learned.

 

The entire country has received many warnings since then. Businesses that choose to ignore the potential for future terrorist attacks despite increasing world volatility are shirking their responsibility not only to their employees—but also to their shareholders and customers.