Thinking Outside The Box: Ignored BIA can be costly
- Published on Monday, 19 November 2007 21:55
The Two-Edged Sword
It has been my contention that a business continuity plan is a two-edged sword. Properly created and implemented, it can help an organization survive a disasterous event after all others have perished. Ignored, it means the possibility of the organization’s failure or, more likely, substantial financial loss.
Over the decade I have been creating business continuity plans, a number of organizations have gone through the business impact analysis (BIA) phases only to stop the plan processes upon receipt of the first deliverable.
The first deliverable, after all, contains the planner’s findings:
• identification of critical business functions
• identification of risks to those functions
• risk prioritization – impact vs. probability
• risk avoidance or mitigation recommendations
The organization’s management may feel it has met its fiduciary or regulatory obligations with the BIA.
With the court’s ruling, management has been disabused of this idea.
The BIA has gone from being a tool to push back a complete plan to a weapon which may be used against the organization if the plan is not completed, exercised, and maintained.
The court has effectively ruled that an incomplete plan is not a plan.
The court also effectively ruled that unless all possible risks are considered – and evaluated realistically – the organization’s management, including the security officer, may be held liable.
September 11, 2001
The events of Sept. 11, 2001, never should have happened. Period.
High-jacking aircraft was so common at one point in our recent history that a new word was coined: “skyjacking.”
When skyjacking became what seemed to be an almost daily event, we cracked down at the airports and substantially increased security. Skyjackings decreased, and with the decrease, our interest in security decreased.
This yo-yo mentality was allowed to prevail several times in the late 1900s. No curbside luggage check-in today, but wait until next week or the week after. Serious baggage inspections today, lackadaisical checks tomorrow.
On Sept. 11, we were in the “it can’t happen to us” mode.
Even after Sept. 11 some of the airline security leadership refused to acknowledge that what happened could happen. Today, when a person tests the system by attempting – usually successfully – to hide weapons on an aircraft, the person challenging authority is arrested but nothing is done to eliminate the security flaw; I have not once read that action will be taken to close the security gap.
I confess my comments may seem like “sour grapes,” unwarranted complaints. However, because I am a business continuity planner, I view the tests as ways to exercise the plan. The safest way to discover the inevitable deficiencies in any business continuity plan is to test the plan. Find the deficiencies before the event (How did those box cutters get on the aircraft?) rather than during the event, when the box cutters are in the hands of terrorists and at the throats of aircraft crew and passengers.
What the court opined is that there was sufficient evidence to consider aircraft a risk to certain structures and that this risk should have been addressed before Sept. 11, 2004.
The court’s opinion read, in part:
“Typically, a criminal act (such as terrorism or hacking) severs the liability of the defendant, but that doctrine has no application when the terrorism or hacking is reasonably foreseeable.”
The article continued: “The court went on to note that the danger of a plane crashing if unauthorized individuals invaded the cockpit was a risk that the defendant plane manufacturer should reasonably have foreseen – indicating that terrorist acts are indeed foreseeable.”
Not Just Terrorists
I think the court’s opinion is a move in the right direction. (By the time this sees the light of day, the decision may have been reversed.) I also think the court failed to understand business continuity planning.
For years other planners and I have been including aircraft accidents as a risk factor. For most of the plans, the impact of an accident was rated very high, but the probability was usually exceedingly low. For “most” of the plans.
If the plan covered an organization located beneath an airport’s approach or take-off pattern, the probability went up. If the building was a skyscraper, the risk went up. Not because I was concerned about terrorists, foreign or homegrown. I was concerned simply because aircrafts do crash.
In 1945, a B-25 bomber crashed into the Empire State Building, killing 14 and injuring many more. The US Army Air Force pilot got lost in the fog. No terrorist action occurred here.
On the ground, planes skid into other planes and people die.
It has long been this planner’s contention that terrorist acts most often mimic accidents.
To my mind and from a strictly business continuity point of view, it makes no difference if the planes which slammed into the World Trade Center towers were flown into the towers or accidentally drifted into the buildings. The result would have been the same.
Granted, in the specific case the companies which designed and built the aircraft and the companies which operated them were viewed by the court to have a measure of liability.
Not Just Physical Security
A different court found that vendors have an obligation to meet their contractual agreements. The magazine reported that in a case which involved Verizon and the Maine Public Utilities Commission, “Verizon argued that it should not have to pay performance penalties since its Web site went down due to the Slammer worm. The commission found that viruses and worms are foreseeable events, as evidenced by the regular security bulletins issued by software companies.”
Proving once again that a well-crafted, exercised, and maintained business continuity plan is just good business, the magazine noted, “The commission found that Verizon had not taken the reasonable steps available to it; steps that competitors AT&T and WorldCom did take (installing patches to ward against Slammer). Ultimately, the commission found that Verizon should be held accountable for its failure, indicating that virus attacks are also completely foreseeable events.”
Addressed to security officers, the article focuses on both physical and data security.
Business continuity planners, if they are competent and if the organizations for which they labor want to survive unwanted events, must both closely examine security issues, preferably with subject matter experts (SME). No one should expect a business continuity planner to be an SME in all fields, but they must look at possible risks outside the security arena.
While the legal issues cited here are security issues of various types, the decisions should make organizations realize that a business impact analysis which gathers dust on the shelf is an indictment against the organization until the BIA is implemented.
I suspect, being a skeptic, that some organizations which planned to develop a BIA to satisfy some requirement will now even push that back.
To end on a positive note, management which is concerned about the organization will have another reason to push the business continuity process to full implementation – exercising and maintaining the plan.
John Glenn, MBCI, has been helping organizations of all types avoid or mitigate risks to their operations since 1994. Comments about this article, or others can be made at http://johnglenncrp.0catch.com/ or e-mailed to JGlennCRP@yahoo.com .