|
SURVEY
Business
Continuity Planning after September 11
By ROBERT C. CHANDLER, Ph.D.
& J.D. WALLACE, Ph.D.
The disastrous terrorist events of Sept. 11, 2001, were watershed moments
for the disaster recovery field. Obviously, the events brought infamy
and attention to the fundamental need for crisis management and disaster
recovery planning. For some, the terrorism attacks brought new corporate
focus and resources for planning. Most certainly, Sept. 11 began to
change both the way we plan and the specific aspects of our disaster
recovery planning.
On Sept. 18, 2001, exactly one week after the horrible events of Sept.
11, we collected reactions and perceptions of disaster recovery experts
about the impact of the attacks on their own disaster recovery planning.
Now after two years, we again have collected perceptions from disaster
recovery experts about the current state of disaster recovery planning
in the post-Sept. 11 world. Do DR and BCP experts have a “changed
world view” about terrorism threats and what are the most urgent
planning priorities that should be at the top of our terrorism planning
agenda?
A survey questionnaire was distributed to attendees at the 2004 DRJ
Spring World similar to the one distributed during the 2001 DRJ Fall
World on Sept. 18, 2001. The 2004 survey offers a unique and important
current “snapshot” of the thinking of disaster recovery
experts as well as providing a basis for comparison with our first comprehensive
survey conducted during the first days after Sept. 11. The results of
this investigation offers insight into how the Sept. 11 terrorist attacks
have affected the thinking and planning of the disaster recovery managers
in the post- Sept. 11 world.
Comparing Preparedness in 2001 with 2004
On Sept. 11, 2001, almost 20 percent of companies represented did not
have a written crisis management plan but that number had dropped to
only 9 percent by the spring of 2004. In 2001 only a small minority
of those plans specifically addressed “terrorist acts” (15
percent) and fewer still of those plans specifically addressed “acts
of war” (7 percent). However, in 2004, 40 percent of plans specifically
do address terrorism but only 13 percent of plans address “acts
of war.” Even more troubling is the discovery that 47 percent
of written plans still do not address “terrorism” threats
and this may be one of the more urgent agenda items for the disaster
recovery and business continuity field at this time.
The aftershock of Sept. 11, 2001, raised questions about the adequacy
of disaster recovery planning across the nation. In 2001, 84 percent
of all plans were in need of modifications and 46 percent of plans needed
to be modified “significantly.” Substantial terrorism preparedness
has been made since 2001. As of the spring of 2004, 38 percent of plans
now include preparedness for “9-11” type disasters, up from
only 12 percent in 2001. However, two thirds (64 percent) of all plans
still need some kind of further modification or “significant”
revisions toward preparedness for “9-11” type disasters.
By many measures preparedness has improved in the years since Sept.
11, yet there is still much more to do by disaster recovery planners.
Organizational Commitment to DR Planning Post-Sept. 11
In mid-September of 2001, two thirds (66 percent) reported that the
events of Sept. 11 had increased their company’s commitment, sense
of urgency, and intensity of disaster recovery planning in their organizations.
Within the first week after the attacks, 10 percent of companies surveyed
had “doubled” their commitment to disaster recovery planning.
Less than one-third (31 percent) reported they did not change or alter
the existing level of commitment or intensity of their planning, which
may have already been high.
The “9-11” attacks appeared to have increased the profile
of disaster recovery planners in most organizations and made the disaster
recovery plans an agenda item for strategic planners across industry
sectors. More than two years later, respondents indicate these initial
actions persist. In the spring of 2004, close to 90 percent reported
that resources for disaster planning had been increased in their companies
since Sept. 11. Thirty six percent report a “significant”
increase and 53 percent report a “modest” increase in disaster
planning resources since Sept. 11.
Immediately after Sept. 11, there was urgency to rethink disaster planning,
risk assumptions, and preparation contingencies. Now more than two years
later, two thirds of companies do include in their planning business
recovery plans, real time tracking of plan implementation, active plan
management, emergency notifications, simulation training, planning prioritization,
risk assessment, threat identification, and crisis team organization,
selection, and assessment. However, only 38 percent of companies engage
in active threat monitoring in 2004.
Perhaps these tasks are delegated to “security” or another
responsible party in the organization. However, subject matter experts
speak to the need for coordination and integration of threat monitoring
and the planning process.
It seems reasonable that there is some need for including active monitoring
of threats and terrorism risks by, or with, business continuity and
disaster recovery planners in your company. This is an area where greater
DR and BCP focus and development should be prioritized.
‘Changed World’ Hypothesis Perceived Terrorism
Threat Risks After Sept. 11
The world and perceptions of threat risks seemed to be profoundly “changed”
for DR experts in the days after Sept. 11. In 2001 respondents reported
that their perceptions overall of the threat risks of a number of disaster
scenarios had been changed in the aftermath of Sept. 11.
Four threat risks were considered as substantially higher risks: terrorism,
war, biological hazards, and explosions. Rated as now approaching higher
risks were bomb threats, sabotage, radiation exposure, civil disorder,
airport proximity, computer crime, hazardous waste, work stoppages,
chemical spills, kidnapping, and vehicle crashes.
The “changed world” post-Sept. 11 hypothesis may well be
reflected in these responses. Respondents were seriously beginning to
anticipate and prepare to mitigate and respond to these risks. It is
also interesting to note that DRJ 2001 Fall World participants recognized
a significantly increased threat risk of belligerent biological hazards
on Sept. 18, before the subsequent anthrax infestations and media coverage
of other attacks.
Some planners apparently began to consider some risks for the first
time (i.e., the dangers and risks associated with nearby airports).
Some perceived threat risks such as theft/robbery, kidnapping, and burglary
were unchanged. Remarkably, the risk of embezzlement was seen as lower.
Since 2001, DR and BCP planning has significantly increased its focus
and attention on some aspects of terrorism threat preparedness. Several
threat risks are now included in a significantly greater number of plans
compared with 2001. These include bomb threats (70 percent), computer
crime (49 percent), terrorism attacks (47 percent), mail threats (47
percent), chemical release (43 percent), and HAZMAT release (43 percent).
The DR and BCP field has dramatically increased its planning and readiness
in the past two years. However, there is still much work remaining to
be done and such preparedness is regrettably not the universal norm
as of yet.
‘Changed World’ Hypothesis Perceived Terrorism
Threat Risks in 2004
The world and perceptions of threat risks still appear to be “changed’
for DR experts in the years after Sept. 11, but those changes are slowly
evolving and are not precisely the same as they were in the days immediately
following the attacks. In 2004, the threat risks seen as higher or significantly
higher in the post-Sept. 11 world include biological events, bomb threats,
computer crime, hazardous waste, hostages, mail threats, mass destruction,
radiation events, sabotage, terrorism, and travel threats. Most of these
perceptions of threat risks are similar to the expert’s perceptions
of the risks immediately following the Sept. 11 attacks. In addition,
the strength or intensity of the perceptions of threat appears to have
subsided somewhat since those first few days following Sept. 11.
Time has not diminished our perception of the reality of potential terrorism
threats but we are a bit less likely to believe that such subsequent
attacks are as imminent as we did in the days following Sept. 11. However,
the one new threat seen as an increased threat risk in 2004, significantly
higher than the 2001 perception, is the area of computer crime. On the
other hand, the threat of the risks of “war” was actually
perceived as significantly lower in 2004 than it was in the days immediately
following Sept. 11. Perhaps the increasing sophistication of computer
or data attacks (hackers, viruses, worms, etc.) and the publicity surrounding
these risks have generated the stronger perception of risks from attack
than was present in 2001. Further, the threat risks from a “war”
might have been lessened in the minds of the experts simply because
of the current on-going war operations and the sense that such activities
have become an accepted “background” context for DR and
BCP processes.
Recommendations for Planning Priorities
In 2004, the disaster recovery experts identified the most pressing
priorities they would recommend for plan changes, modifications, development,
and revisions. Although there were some predictable differences in recommendations
for revising plans between those companies who already had the issues
addressed in their plans and those that still did not have the issues
addressed in their plans, the consensus of recommendation is enlightening.
Four DR/BCP planning areas were universally recommended for greater
attention by both those who already included these dimensions in their
plan and those that did not. These recommendations for four areas of
plan revision, increased focus, and modification were: (1) establishing
criteria for resumption of normal operations (define criteria for ending
the “declared disaster” phase of operations), (2) systematic
real time tracking of plan implementation, (3) simulation training for
personnel, and (4) the planning prioritization process. Not surprisingly,
those companies whose plans did not already include these aspects recommended
the importance of adding these aspects to their plans as “significantly
higher.” In addition, companies that did not include the aspect
in the current plans also perceived a need for “significantly”
greater attention to the (1) development of a business recovery plan,
(2) procedures for plan management, (3) risk assessment, (4) threat
identification, and (5) crisis team development, organization, training,
and assessment.
We asked the DR experts for their perceptions of which human threat
risks, vulnerabilities, and areas of concern that they perceived as
higher or lower. DR experts identified three threat areas as much higher
risks since Sept. 11. These three are computer crime, violent terrorist
attacks, and acts of sabotage. Furthermore, other threats viewed as
higher risks include biological events, bomb threats, chemical spills,
hazmat waste, kidnapping/hostages, mail threats, mass destruction, radiation
events, and employee/executive travel threats. Given the current lack
of planning for terrorist events, these areas clearly serve as a priority
list for prudent DR and BCP planners.
Conclusions
The events of Sept. 11, 2001, appear to have significantly changed DR
and BCP experts’ perceptions, risk assessment, company urgency
of commitments, and planning for disaster mitigation and recovery. These
changes persist in the 2004 survey data. It is also clear that business
(and disaster recovery planning) has in fact changed since Sept. 11.
Disaster recovery planners were not fully prepared for the events of
Sept. 11. While they are better prepared and in the process of becoming
prepared, there is still much left to accomplish in the area of terrorism
preparedness. Plans still need to be rethought and revised in terms
of the terrorism threat risks.
Upper management and organizational support for disaster recovery planning
has increased. More focus and attention to preparing for terrorism threats
still need to occur across all industries and businesses. While disaster
recovery planning has advanced as an organizational priority, it must
continue to mature and fully and adequately address the type, intensity,
scale, and severity of terror disasters. New resources and attention
have been devoted to DR and BCP for terror attacks. Nonetheless, this
survey provides reasonable evidence that there remains a great need
for many companies to increase their specific planning for terrorism
threats. Far too many companies do not have plans in place nor have
they begun the process to address these risks in their DR and BCP plans/planning
process. This should serve as a wake up for managers and executives
of all industries. Many companies have yet to develop the comprehensive
and integrated planning essential for DR and BCP preparedness for terrorism
threats.
Fortunately, DR experts provide us with a working agenda of where to
focus future planning efforts and energy. Three threat risks that are
seen as much higher risks are computer crime, violent terrorist attacks,
and sabotage. These specific terror threats should be at the very top
of the planning agenda. Other threats viewed as higher risks include
biological events, bomb threats, chemical spills, hazmat waste, kidnapping/hostages,
mail threats, mass destruction, radiation events, and employee/executive
travel threats. Each of these emerging terror threats should also be
high priority considerations for mitigation and DR and BCP preparedness
planning. Furthermore, the planning process for terrorism for companies
need greater attention to: (1) establishing criteria for resumption
of normal operations (defining criteria for ending the “declared
disaster” phase of operations), (2) systematic real time tracking
of plan implementation, (3) simulation training for personnel, and (4)
the planning prioritization process.
Specifically, this survey finds that there is still a need for processes,
structures, and responsibility for more active threat monitoring. It
is important to begin to plan for monitoring the ebb and flow of threat
risks, utilizing the national terrorism alert warning system, using
public and private resources to analyze the probability of an attack
on or near a specific target or geographic location, working to obtaining
resources, building informational networks, working with insurance and
security resources, assessing specific threat levels, and keeping up
to date for warning signs about suspicious activities or behaviors.
Prudent companies will take heed of these new realities and make preparedness
for terrorism threats, DR, and BCP for terrorism a strategic priority.
It is essential to initiate the planning process for terrorism preparedness
if you have not already done so. Put terrorism threats on the agenda
for your next DR, BCP, or crisis management team meeting; conduct a
thorough a terrorism impact analysis; plan a workday devoted to threat
and preparedness brainstorming, participate in a workshop or interactive
course on preparing for terrorism threats; and systematically review,
assess, and test the plans you currently have in place.
One way to get this process started or to assess your current planning
activities is to assemble your planning team and/or crisis management
team to review your current state of preparedness for terrorism threats.
Integrate information and planning from all relevant departments including
security, operations, risk management, human resources, IT, legal, public
relations, and of course senior management. Pull your key personnel
out for a “think tank” session where threat issues can be
brainstormed and scenario response protocol timelines evaluated. Have
your team participate in a workshop or interactive course on BCP for
terrorism. Coordinate with emergency responders, law enforcement, insurance
providers, and other key resources that are critical during such events.
Assess your facility, emergency supplies, procedures, policies, access,
mail center, entrance/exit, internal communication system, evacuation,
and other key aspects that might be the difference between life and
death for your personnel during an actual terror attack. The key is
to begin the process of thorough review and analysis of your unique
situation.
Over two years have passed since the horrible events of Sept. 11. Many
companies are substantially better prepared today than they were in
2001 for the threats of terrorism. However, far too many remain ill
prepared and unready to cope with terrorism threats. There are clearly
identifiable priorities for BCP and DR planning that are relevant to
all companies in almost every industry. It is feasible to substantially
upgrade your preparedness for terrorism threats and initiate prudent
continuity planning for terrorism. Will your plan, your company, and
your people be ready when the next major terrorist event occurs? The
answer to this question is largely up to you.
Dr. Robert C. Chandler is the Blanche E. Seaver professor and chair
of the communication division at Pepperdine University, specializing
in organizational communication, terrorism threats preparedness planning,
crisis decision making, crisis teamwork, crisis team selection and training,
crisis leadership, crisis team assessment, communication effectiveness,
multicultural diversity, communication and conflict, and employee ethical
conduct. He can be contacted at: robert.chandler@pepperdine.edu.
Dr. J.D. Wallace is an associate professor of communication at Lubbock
Christian University. His most recent research has been in immediacy
in virtual groups, corporate image restoration strategies, and coordination
in computer-mediated environments.
©Copyright
2004 Systems Support Inc. All rights reserved. Reproduction in whole
or in part in any form or medium without the express written permission
of System Support Inc. is prohibited.
«BACK
to the Articles Index
|
