By Richard Bingley, Director CSARN and Senior Lecturer at the Department of Security and Resilience, Buckinghamshire New University and author of ‘Terrorism: Just the Facts’ and 'Arms Trade: Just the Facts'.
I keep being asked if there are case studies out there that relate business continuity management into counter-terrorism. Indeed, it was the subject of presentations that I used to deliver into NaCTSO, the UK National Counter-Terrorism Security Office, a few years ago now.
In short, there is a plethora of material out there… but here’s some of my routine references: first from the excellent study by Herbane, Elliot and Swartz (2004), Business Continuity Management: time for a strategic role? Herbane et al reported in reflections on 9/11 (that I’ve abridged here) that:
“The Senior Vice President of the Federal Reserve Bank of New York (Christopher McCurdy) commented that existing models of contingency planning in which single-site technical crises are considered should no longer be the order of the day: instead the priority should be the loss or lack of access to staff. Without them nothing can be recovered, restored or retrieved. In the most severe of crises – the worst case scenario – physical survival is an indicator of performance. Organisations such as Morgan Stanley and Lehman Brothers have recognised that the creative and flexible use of their resources supersedes the value gained from mimicking emergency plans.”
Blending in the work of Silverman and Larsen (2001) they reported:
“Morgan Stanley’s is an example of the benefits and limitations of business continuity. Continuous training following the 1993 World Trade Centre bombing meant that most of the company’s 3700 employees survived the evacuation of the South Tower in 2001. The company proceeded to establish contact with its dispersed employees using house calls, public broadcasts and one of its own call centres located in Arizona. Simultaneously, MS set out to recover its operations at alternative facilities... but not those also in the inaccessible lower Manhattan area. Recognising the differences in strategic importance between business units, operations and facilities, a temporary recovery centre was established in Brooklyn until the first recovery centre could be accessed. By Friday morning, testing activities were in progress and the recovery – both physical and emotional – was under way.”
My own view, and it’s hardly original, is that organisational culture and embedded values are fundamentally the most important ingredients to achieving optimised organisational resilience. These phenomena determine the types of staff recruited, they heavily influence (if not directly set) levels of staff agility and personal responsibility; and they certainly determine quality of training and personal development.
Following qualitative interviews with managers at the Taj Hotel, Mumbai, India, in the aftermath of the 2008 terrorist attacks, Deshpande and Raina reported in the Harvard Business Review (2011) how the chain’s “organisational culture nurtured employees who were willing to risk their lives...” in prioritising the safety of guests. According to the Review, the Taj’s approach to HR would “teach [all] people to improvise rather than do things by the book. Incumbent managers, rather than outside consultants, conduct all staff training. The Taj insists that “employees place guest’s interests over the company’s”. Somewhat proudly, a manager boasted that the Taj Group prefers to “recruit employees from the hinterland because that’s where traditional Indian values still hold sway” (Deshpande and Raina: 2011: 112-117). Sure, some may feel that particular approach might not be appropriate in other economies, but we should appreciate the insight provided by the Review’s article.
Similar commendations, including from this author, were recorded following visits and research to Mumbai’s business community and the Trident Oberoi, the other major hotel directly targeted during the three-day-long ambush. On one occasion soon after the attacks, our delegation at the time heard from Vikram Oberoi, then Chief Operating Officer of his family’s luxury Indian hotel chain, when he articulated his company’s philosophy to “treat guests as one would their own family.”
Counter-terrorism in built environments
According to the UK National Counter Terrorism Security Office (NACTSO), that has developed much guidance in this area, key concepts underpinning CT measures in crowded places and built environments are: proportionality, relevance and effectiveness.
Organisations should carry out their own ‘risk profiling’ and consult public agency partners such as Counter Terrorism Security Advisers (CTSAs), employed by police services but trained by NaCTSO, and Architectural Liaison Officers (ALOs) in local authorities. According to the risk profile, organisations should consider a range of counter-measures including:
Access Controls: gates, locks, key-codes, swipe-cards, biometric readers, guards, barriers, ANPR.
Hostile Vehicle Mitigation Measures: re-routing traffic, proportionate stand-off distances, pedestrian zones, street furniture, gardens (without cover) and obstacles
Surveillance: CCTV, physical counter surveillance cover. CCTV monitored by (licensed) permanent or contract staff, or alarm trigger and verification, or target identification and recognition (50-100% of screen height) approaches for criminal evidence purposes
Reception areas: protected from vehicle access and with proportionate vehicle stand-off distances. Integrate plants, bollards, blockers, barriers into forecourt arrangement. Placement of reception desks with clear fields of vision. Shatter proof glazing. Separate mail-handling quarters.
Communications: Incorporate redundancy in communications provision to prevent, or back-up, loss of primary communications (e.g. collapse of telephone switchboard system); prepare for website visit surges. Reinforce and augment network and information security.
Stand-off distances: enforce sufficient distances from PIEDS and VBIEDS, ideal is 30m for small car bombs. Zone building to put low or zero occupancy areas in more vulnerable locations. Lift reception and public/visitor atriums or spaces to a mezzanine floor, past initial access checks and controls. Bomb shelters and safe havens in centre of the building. Perimeter fencing with strict pre-allocated vehicle access and egress points. Design in vehicle rejection route.
Air handling units: can be used to disperse toxins and contaminants. Key staff and crisis management teams to be trained on operating (turning on/off) air conditioning, heating and water systems.
Service areas (e.g. delivery and staff entrances): shut, lock, CCTV, lighting, patrols, checks and random pattern monitoring; repeat access control principles outlined above as necessary.
Ballistic and Blast Protection: unbreakable glass (expensive), PVB laminated glass or anti-shatter film, ballistic glazing (principally, for Guard House-type building windows)
Examples of blended physical counter-terrorism measures in built environments include:
Bristol: Cabot Circus Shopping Centre; National Welsh Assembly, Cardiff; Corporation of London zone, City of London.
Key features include:
• street furniture and reconfigured surrounding streets to divert vehicle access
• pedestrian zones with large vehicle stand-off distances
• visually attractive and accessible
Merging BCM and CT
The logical thing to say is that these protective security options now need to be blended with business continuity policy and its present business managers. Because, for instance, barriers and access controls - whether in the guise of people or technology - can also provide for business dis-continuity or even humanitarian disaster if plans aren’t rehearsed and validated. (Remember your Analysis, Design, Implementation and Validation from the BCI Good Practice Guidelines!)
Getting the organisational balance right between disciplined agility (associated with crisis management) versus disciplined rigidity (associated with static security) seems to be the bane of professional life for an organisational resilience, or BCM manager.
I’m not seeking to fix your strategy here… probably solutions exist deconstructing silos, and employing and empowering the right people… but I just wanted to pinpoint some of external sources that, for me at present, appear most instructive.
Perhaps send me your ideas and if you wish to find out more, why not sign up for our Part-time BA Security Consultancy or MSc Business Continuity, Security and Emergency Management courses?!
Bruce, R. (2003) Stark Lessons in Corporate Survival, London Financial Times, 07/01/2003
Deshpande, R, and, Raina, A, (2011) The Ordinary Heroes of The Taj, Harvard Business Review, December 2011 (pp. 119-123)
Herbane B, Elliot D, and, Swartz E (2004) Business Continuity Management: time for a strategic role? Elsevier, Long Range Planning 37, pp. 435-457
Silverman, G. and, Larsen, P. (2001) Morgan Stanley staff were saved by lessons from 1993, The Financial Times, 15/09/2013