Something's been bugging me for the last few days that I have to get off my chest, even it ruffles some feathers. At this year's World Conference on Disaster Management, there was one encounter that made me question the theme of the conference--Are We
Really Prepared?
While taking in the many excellent general discussions and breakout sessions, I happened upon a breakout session hosted by a participant from the financial sector discussing BCP. Given all
the reform that has taken place within this critical sector, I assumed that all financial institutions must have well-developed plans. As
this recent paper from AT&T suggests, most financial institutions have been early adopters of BCP protocols, and expected to remain one step ahead of the pack:
While most organizations are aware of the need for business continuity and the majority of companies have some sort of disaster recovery plan, sectors that are more heavily reliant on IT tend to be further along the BCP path. Take the financial services sector, one of the most progressive industries of all, where outputs, such as certicicates of deposits, commercial paper and checking and savings accounts are, at the most basic level, information products. When comparing industries, the potential revenue loss arising from a network disruption is among the highest for banking and financial institutions.
The moderators for this particular discussion included a representative of one of Canada's five major banks. Over the course of the session, it seemed to me that the material presented seemed quite elementary, considering the audience they were addressing. Was it just me, or were others in the audience feeling the same way? Just then, I got a nudge from the guy beside me, a consultant to the
U.S. Department of the Treasury who said to me, "Are these guys really trying to sell this off as preparedness? Looks like they just pulled a list off the net and are running with it?" I guess I wasn't being overly critical of the presentation.
When the presentation ended, the floor was opened for Q&A and my new friend and I asked questions. We were taken aback by the responses we heard. As an example, the bank represenative identified himself as part of a crucial group is charged with emergency preparedness for the bank across Canada. When my friend asked him "What exactly would you do if an incident occurred right now?", our banking presenter shrugged and cooly stated that he was mere steps away from his offices in the financial core (an
intensely concentrated area representing the heart of the Canadian financial sector), and his team would convene to map out next steps. At this point I asked, "What would happen if that event took place right in the heart of the financial district?" He said it was a good question, but his team had already addressed it.
In fact, despite the fact that his institution made a net income exceeding $1B in 2003, they didn't feel as though dispersing this critical team across several locations made logistical sense, or
financial sense. I expressed concern over the bank's lack of forsight. To me, backup and site redundancy for an emergency team of a financial institution was lesson one in Emergency Planning 101. I was also alarmed because these folks are the ones who manage some of my assets. To assuage my concerns, this banking representative gave me an assurance that whatever decision they arrived at came about as a result of a detailed cost benefit analysis, with the customer being at the forefront of the decision they made.
Really, are they prepared?
Before attending this session, I was confortable with the belief that financial instituions are on the cutting edge of innovation with regard to business continuity planning and emergency preparedness. As it turns out, in at least one case, my bank demonstrated their "cutting edge" is about as sharp as a butter knife.