Comparing Preparedness in 2001 with 2004
On Sept. 11, 2001, almost 20 percent of companies represented did not have a written crisis management plan but that number had dropped to only 9 percent by the spring of 2004. In 2001 only a small minority of those plans specifically addressed “terrorist acts” (15 percent) and fewer still of those plans specifically addressed “acts of war” (7 percent). However, in 2004, 40 percent of plans specifically do address terrorism but only 13 percent of plans address “acts of war.” Even more troubling is the discovery that 47 percent of written plans still do not address “terrorism” threats and this may be one of the more urgent agenda items for the disaster recovery and business continuity field at this time.
The aftershock of Sept. 11, 2001, raised questions about the adequacy of disaster recovery planning across the nation. In 2001, 84 percent of all plans were in need of modifications and 46 percent of plans needed to be modified “significantly.” Substantial terrorism preparedness has been made since 2001. As of the spring of 2004, 38 percent of plans now include preparedness for “9-11” type disasters, up from only 12 percent in 2001. However, two thirds (64 percent) of all plans still need some kind of further modification or “significant” revisions toward preparedness for “9-11” type disasters. By many measures preparedness has improved in the years since Sept. 11, yet there is still much more to do by disaster recovery planners.
Organizational Commitment to DR Planning Post-Sept. 11
In mid-September of 2001, two thirds (66 percent) reported that the events of Sept. 11 had increased their company’s commitment, sense of urgency, and intensity of disaster recovery planning in their organizations. Within the first week after the attacks, 10 percent of companies surveyed had “doubled” their commitment to disaster recovery planning. Less than one-third (31 percent) reported they did not change or alter the existing level of commitment or intensity of their planning, which may have already been high.
The “9-11” attacks appeared to have increased the profile of disaster recovery planners in most organizations and made the disaster recovery plans an agenda item for strategic planners across industry sectors. More than two years later, respondents indicate these initial actions persist. In the spring of 2004, close to 90 percent reported that resources for disaster planning had been increased in their companies since Sept. 11. Thirty six percent report a “significant” increase and 53 percent report a “modest” increase in disaster planning resources since Sept. 11.
Immediately after Sept. 11, there was urgency to rethink disaster planning, risk assumptions, and preparation contingencies. Now more than two years later, two thirds of companies do include in their planning business recovery plans, real time tracking of plan implementation, active plan management, emergency notifications, simulation training, planning prioritization, risk assessment, threat identification, and crisis team organization, selection, and assessment. However, only 38 percent of companies engage in active threat monitoring in 2004.
Perhaps these tasks are delegated to “security” or another responsible party in the organization. However, subject matter experts speak to the need for coordination and integration of threat monitoring and the planning process.
It seems reasonable that there is some need for including active monitoring of threats and terrorism risks by, or with, business continuity and disaster recovery planners in your company. This is an area where greater DR and BCP focus and development should be prioritized.
‘Changed World’ Hypothesis Perceived Terrorism Threat Risks After Sept. 11
The world and perceptions of threat risks seemed to be profoundly “changed” for DR experts in the days after Sept. 11. In 2001 respondents reported that their perceptions overall of the threat risks of a number of disaster scenarios had been changed in the aftermath of Sept. 11.
Four threat risks were considered as substantially higher risks: terrorism, war, biological hazards, and explosions. Rated as now approaching higher risks were bomb threats, sabotage, radiation exposure, civil disorder, airport proximity, computer crime, hazardous waste, work stoppages, chemical spills, kidnapping, and vehicle crashes.
The “changed world” post-Sept. 11 hypothesis may well be reflected in these responses. Respondents were seriously beginning to anticipate and prepare to mitigate and respond to these risks. It is also interesting to note that DRJ 2001 Fall World participants recognized a significantly increased threat risk of belligerent biological hazards on Sept. 18, before the subsequent anthrax infestations and media coverage of other attacks.
Some planners apparently began to consider some risks for the first time (i.e., the dangers and risks associated with nearby airports). Some perceived threat risks such as theft/robbery, kidnapping, and burglary were unchanged. Remarkably, the risk of embezzlement was seen as lower.
Since 2001, DR and BCP planning has significantly increased its focus and attention on some aspects of terrorism threat preparedness. Several threat risks are now included in a significantly greater number of plans compared with 2001. These include bomb threats (70 percent), computer crime (49 percent), terrorism attacks (47 percent), mail threats (47 percent), chemical release (43 percent), and HAZMAT release (43 percent). The DR and BCP field has dramatically increased its planning and readiness in the past two years. However, there is still much work remaining to be done and such preparedness is regrettably not the universal norm as of yet.
‘Changed World’ Hypothesis Perceived Terrorism Threat Risks in 2004
The world and perceptions of threat risks still appear to be “changed’ for DR experts in the years after Sept. 11, but those changes are slowly evolving and are not precisely the same as they were in the days immediately following the attacks. In 2004, the threat risks seen as higher or significantly higher in the post-Sept. 11 world include biological events, bomb threats, computer crime, hazardous waste, hostages, mail threats, mass destruction, radiation events, sabotage, terrorism, and travel threats. Most of these perceptions of threat risks are similar to the expert’s perceptions of the risks immediately following the Sept. 11 attacks. In addition, the strength or intensity of the perceptions of threat appears to have subsided somewhat since those first few days following Sept. 11.
Time has not diminished our perception of the reality of potential terrorism threats but we are a bit less likely to believe that such subsequent attacks are as imminent as we did in the days following Sept. 11. However, the one new threat seen as an increased threat risk in 2004, significantly higher than the 2001 perception, is the area of computer crime. On the other hand, the threat of the risks of “war” was actually perceived as significantly lower in 2004 than it was in the days immediately following Sept. 11. Perhaps the increasing sophistication of computer or data attacks (hackers, viruses, worms, etc.) and the publicity surrounding these risks have generated the stronger perception of risks from attack than was present in 2001. Further, the threat risks from a “war” might have been lessened in the minds of the experts simply because of the current on-going war operations and the sense that such activities have become an accepted “background” context for DR and BCP processes.
Recommendations for Planning Priorities
In 2004, the disaster recovery experts identified the most pressing priorities they would recommend for plan changes, modifications, development, and revisions. Although there were some predictable differences in recommendations for revising plans between those companies who already had the issues addressed in their plans and those that still did not have the issues addressed in their plans, the consensus of recommendation is enlightening.
Four DR/BCP planning areas were universally recommended for greater attention by both those who already included these dimensions in their plan and those that did not. These recommendations for four areas of plan revision, increased focus, and modification were: (1) establishing criteria for resumption of normal operations (define criteria for ending the “declared disaster” phase of operations), (2) systematic real time tracking of plan implementation, (3) simulation training for personnel, and (4) the planning prioritization process. Not surprisingly, those companies whose plans did not already include these aspects recommended the importance of adding these aspects to their plans as “significantly higher.” In addition, companies that did not include the aspect in the current plans also perceived a need for “significantly” greater attention to the (1) development of a business recovery plan, (2) procedures for plan management, (3) risk assessment, (4) threat identification, and (5) crisis team development, organization, training, and assessment.
We asked the DR experts for their perceptions of which human threat risks, vulnerabilities, and areas of concern that they perceived as higher or lower. DR experts identified three threat areas as much higher risks since Sept. 11. These three are computer crime, violent terrorist attacks, and acts of sabotage. Furthermore, other threats viewed as higher risks include biological events, bomb threats, chemical spills, hazmat waste, kidnapping/hostages, mail threats, mass destruction, radiation events, and employee/executive travel threats. Given the current lack of planning for terrorist events, these areas clearly serve as a priority list for prudent DR and BCP planners.
The events of Sept. 11, 2001, appear to have significantly changed DR and BCP experts’ perceptions, risk assessment, company urgency of commitments, and planning for disaster mitigation and recovery. These changes persist in the 2004 survey data. It is also clear that business (and disaster recovery planning) has in fact changed since Sept. 11. Disaster recovery planners were not fully prepared for the events of Sept. 11. While they are better prepared and in the process of becoming prepared, there is still much left to accomplish in the area of terrorism preparedness. Plans still need to be rethought and revised in terms of the terrorism threat risks.
Upper management and organizational support for disaster recovery planning has increased. More focus and attention to preparing for terrorism threats still need to occur across all industries and businesses. While disaster recovery planning has advanced as an organizational priority, it must continue to mature and fully and adequately address the type, intensity, scale, and severity of terror disasters. New resources and attention have been devoted to DR and BCP for terror attacks. Nonetheless, this survey provides reasonable evidence that there remains a great need for many companies to increase their specific planning for terrorism threats. Far too many companies do not have plans in place nor have they begun the process to address these risks in their DR and BCP plans/planning process.
This should serve as a wake up for managers and executives of all industries. Many companies have yet to develop the comprehensive and integrated planning essential for DR and BCP preparedness for terrorism threats.
Fortunately, DR experts provide us with a working agenda of where to focus future planning efforts and energy. Three threat risks that are seen as much higher risks are computer crime, violent terrorist attacks, and sabotage. These specific terror threats should be at the very top of the planning agenda. Other threats viewed as higher risks include biological events, bomb threats, chemical spills, hazmat waste, kidnapping/hostages, mail threats, mass destruction, radiation events, and employee/executive travel threats. Each of these emerging terror threats should also be high priority considerations for mitigation and DR and BCP preparedness planning. Furthermore, the planning process for terrorism for companies need greater attention to: (1) establishing criteria for resumption of normal operations (defining criteria for ending the “declared disaster” phase of operations), (2) systematic real time tracking of plan implementation, (3) simulation training for personnel, and (4) the planning prioritization process.
Specifically, this survey finds that there is still a need for processes, structures, and responsibility for more active threat monitoring. It is important to begin to plan for monitoring the ebb and flow of threat risks, utilizing the national terrorism alert warning system, using public and private resources to analyze the probability of an attack on or near a specific target or geographic location, working to obtaining resources, building informational networks, working with insurance and security resources, assessing specific threat levels, and keeping up to date for warning signs about suspicious activities or behaviors.
Prudent companies will take heed of these new realities and make preparedness for terrorism threats, DR, and BCP for terrorism a strategic priority. It is essential to initiate the planning process for terrorism preparedness if you have not already done so. Put terrorism threats on the agenda for your next DR, BCP, or crisis management team meeting; conduct a thorough a terrorism impact analysis; plan a workday devoted to threat and preparedness brainstorming, participate in a workshop or interactive course on preparing for terrorism threats; and systematically review, assess, and test the plans you currently have in place.
One way to get this process started or to assess your current planning activities is to assemble your planning team and/or crisis management team to review your current state of preparedness for terrorism threats. Integrate information and planning from all relevant departments including security, operations, risk management, human resources, IT, legal, public relations, and of course senior management. Pull your key personnel out for a “think tank” session where threat issues can be brainstormed and scenario response protocol timelines evaluated. Have your team participate in a workshop or interactive course on BCP for terrorism. Coordinate with emergency responders, law enforcement, insurance providers, and other key resources that are critical during such events. Assess your facility, emergency supplies, procedures, policies, access, mail center, entrance/exit, internal communication system, evacuation, and other key aspects that might be the difference between life and death for your personnel during an actual terror attack. The key is to begin the process of thorough review and analysis of your unique situation.
Over two years have passed since the horrible events of Sept. 11. Many companies are substantially better prepared today than they were in 2001 for the threats of terrorism.
However, far too many remain ill prepared and unready to cope with terrorism threats. There are clearly identifiable priorities for BCP and DR planning that are relevant to all companies in almost every industry. It is feasible to substantially upgrade your preparedness for terrorism threats and initiate prudent continuity planning for terrorism. Will your plan, your company, and your people be ready when the next major terrorist event occurs? The answer to this question is largely up to you.
Dr. Robert C. Chandler is the Blanche E. Seaver professor and chair of the communication division at Pepperdine University, specializing in organizational communication, terrorism threats preparedness planning, crisis decision making, crisis teamwork, crisis team selection and training, crisis leadership, crisis team assessment, communication effectiveness, multicultural diversity, communication and conflict, and employee ethical conduct. He can be contacted at: email@example.com.
Dr. J.D. Wallace is an associate professor of communication at Lubbock Christian University. His most recent research has been in immediacy in virtual groups, corporate image restoration strategies, and coordination in computer-mediated environments.