--> Gill Blog: August 2004

Gill Blog

Tuesday, August 31, 2004

A Convention, a Vacation, and a Cuppa Joe

Given the tight security net that has been placed around Manhattan during this week's Republican National Convention, it's hardly suprising that many who work in the big apple have chosen to just stay away this week. A couple of posts ago we suggested this may be an opportunity for businesses to test out their business continuity plans. For organizations, it is also an opportunity to test the effectiveness of teleworking:
A survey of 54 Manhattan companies found that 49 percent plan to change workers' routines -- mostly by allowing them to do their jobs from home or from offices outside Manhattan. The rest said they plan "business as usual," according to the survey by CoreNet Global

Accenture told its workers in a memo that, while its midtown office on Avenue of the Americas, a mile from the Garden, will remain open, employees should consider working from home, a client's office, or from its two New Jersey offices.

Merrill Lynch & Co., the largest securities firm by capital, advised employees in a memo to expect traffic congestion and encouraged them to avoid car or bus travel into and around the city.
Where the legions of displaced workers will be doing their work is anyone's guess, but if they're not working in their offices, or their homes, guess where you'd be most likely to find them? If you said Starbucks, you'd be correct. In fact Starbucks is all about the experience, and has effectively created a place where people can meet, work, or just relax. It's not just about the coffee anymore.

Saturday, August 28, 2004

Lessons in Policy Implementation from Mr. Clarke

Most readers of this blog understand that one of the central challenges faced by emergency planners is to harmonize communications and policy between silos that were previously separated. It often seems so easy to sit back as an armchair quarterback and assume that moving policy forward can be achieved at the snap of a finger. Often though, like so many things in life, things are much easier said than done, and the examples we base these conclusions on don’t necessarily have to come from the highest corridors of power, but from just around the corner.

Yesterday afternoon, I was going to my local Starbucks to scan the net to see if there might be some interesting piece to blog, when just before entering I heard a voice from the outdoor patio say “Tony?” I turned around and saw it was actually my old eighth grade social studies teacher, Jim Clarke (Mr. Clarke - except for a little gray – didn’t look a day older than he did when he was my teacher more than 25 years ago, and he still stands today as one of the best educators I ever encountered).

Mr. Clarke and his wife were enjoying their iced coffees, so they invited me to join them for a little chit-chat. After going through the regular routine of finding out who’s been up to what, we turned to the topic of family. They both had recently arrived back home after dropping their youngest daughter off to her freshman year in college in Alabama (their daughter received an athletic scholarship in synchronized swimming, and found this school put the best foot forward when making their offer).

We started talking about the familiar dislocation that is generally felt by all kids who arrive at college for the first time – checking into a dorm, moving stuff in, getting class schedules, and opening a bank account. For some reason though, the Clarke’s own experience was particularly troublesome. As Canadians, there were now a number of new bureaucratic hoops they had to jump through in order to do those simple things like getting an ATM card, opening a bank account, and even acquiring a student number.

Without getting into the details, they went through a nightmare, and when they actually went to student affairs (those who so diligently wooed their daughter to enroll at their institution) and told their story, they described the administrator’s reaction as being profusely apologetic, and a little embarassed. As they explained, the new policies were being completely driven by Homeland Security Policy, and the administration was being forced to comply; “It was never like this before” the Clarkes were told.

This story points out the difficulties that exist at the cultural level of policy adoption. The basic lesson learned from this story in my opinion, is that if the experience of a Canadian synchronized swimmer in Alabama can cause a kafuffle between campus policies and those of Homeland Security, I wonder what types of power struggles are simultaneously taking place within organizational silos in the highest levels of government that previously were autonomous, but now have to cooperate with others.

Wednesday, August 25, 2004

Insurance Compliance (again)

An underlying theme of many recent posts has been insurance compliance. Time and time again, I have said that insurance companies will be the primary driving force behind the widespread adoption of BCP programs. The Civil Contingencies Bill, a piece of UK legislation we talked about earlier in the year is now nearing its passage through parliament (a fact I read about in this article). One of the key areas this Bill mandates is the need for all companies to adopt BCP plans in order to maintain lower insurance premiums. It is also interesting to note that the adoption of BCP programs will also be driven by new legislation within the European Union:
Many insurance companies now request details about their client company’s business continuity provisions as part of their audit process. Where there is found to be no viable continuity plan, the client’s insurance premiums may rise as a direct consequence. This, together with the fact that forthcoming European Union legislation requires every company, regardless of size, to have some form of continuity plan, means that demand for business continuity services is bound to rise.
I also found the following quote particularly relevant:
Disasters, fires, bombs and rivers which burst their banks don’t have to directly affect your premises to wreck your businesses. Emergency services routinely cordon off entire areas surrounding the impact point and bar all-comers from gaining access to their vital business records.
It was just yesterday morning in the middle of rush hour when a dramatic hostage-taking incident unfolded in the very heart of Toronto's financial district. The entire financial core was cordoned off while the drama unfolded.

Despite the need for companies to comply, BCP adoption rates remain slow. Nothing like the love of the mighty buck (or pound sterling as the case may be), however, that can make executives take notice and put their plans into high gear.

Tuesday, August 24, 2004

Changing European Weather Patterns

I have often discussed the importance in taking a complete view on the universe of risk when formulating risk mitigation strategies. Too often - especially in today's charged environment - terrorism becomes the only event that BCP planners will focus on when putting together their plans.

Over the past few weeks we have mentioned a major flood in southern Canada, and a devastating hurricane that hit the west coast of Florida. As I bang out this post, a Typhoon Aere is bearing down on Taiwan. So are these isolated incidents, or does it seem as though the increase in devastating natural events is on the rise?

Last night, I found myself burning a little bit of the midnight oil, and after 1 a.m., tuned into CBC Radio on the web. At this time the CBC broadcasts news from broadcasters around the world, so I happened to be listening to Radio Netherlands, when I came across this item confirming that weather patterns in Europe are indeed changing.
Keimpe Wieringa recalls the 2003 heatwave which caused around 20,000 deaths, and the floods only months before that wrought havoc in Germany and the Czech Republic. He says that "it's now estimated that we have a loss here in Europe of about 11 billion euros on a yearly basis" because of such extreme weather events. In fact, they account for 79 percent of all economic losses caused by catastrophic events since 1980. And these losses have increased significantly in that time, partly because of "our economic welfare – the value of houses - has gone up", but also because the average number of such events has dramatically increased, doubling during the 1990s as compared with the previous ten years.
If this trend is in fact part of a wider global trend, it will inevitably have an effect on insurance underwriting standards and business continuity planning efforts. To find out more about the report, you can click here for ordering information, or you can hear the report in its entirety by clicking this link.

Saturday, August 21, 2004

Business Continuity Testing During the RNC

As the summer winds down in an election year in the U.S. and we inch closer to November, the political debate intensifies as stategists on both sides resort to the time-honored tradition (at least during the media age) of intense mudslinging (I'm just loving this Swift Boat battle with the Texas Airmen -- it's pure WWE!). Anyway, it's also when Democratic momentum gained during their convention yields to an inevitable surge by the G.O.P. gained during their big love-in. This year's Republican National Convention (RNC) will take place at Madison Square Garden in New York between August 30 and September 2.

For political junkies (especially those in the U.S.), the convention is the political equivalent of the Super Bowl. Actually, because it's only once every four years, I'd even venture to say it's their Olympics (oops! I think the IOC may not let me say that in my blog given their policy on blogs). What the heck, I'll take my chances.

But this event is also huge for another group -- business continuity planners. Business continuity planners? You see given the fact the disruption and high security will likely cause disruptions around Wall Street, continuity planners within the financial services industry (FSI) have decided this will be a perfect time to test their business continuity plans. We're not talking checklists and compliance meetings, we're talking about full-blown testing exercises:
The panelists expressed hope that the RNC and other planned events will allow their companies to prepare for unexpected events, such as terror attacks, by testing their business continuity plans and ensuring that all applications have been installed correctly, physical security is adequately prepared and all employees know what to do in the event of an emergency.
It's encouraging to see the effort taken to test plans during the convention, and the degree to which firms are taking a more complete view of business continuity, which places emphasis not only on BCP, but facilities and teleworking as well:
Certain firms have opened additional locations outside of New York City in the event that the operations in the New York branches are destroyed, and have tested technology that would allow them to get their business centers back up and running quickly after an attack, if not at another location during the attack. A member of the audience started a debate about remote-access scenarios, or people working from home. The panelists agreed that this would be quite beneficial, but required having the exact technology available to employees at the office also available to them at home to keep the productivity level equal.
In the midst of all the convention hoopla, there are some who are speculating that the days of such huge extravaganzas may be numbered. The reason? The high cost of obtaining terrorist insurance for these types of events. In fact, the main reason cited in this article is the fact the insurance industry and the Federal Government have yet to come up with an alternative to the Terrorist Risk Insurance Act (TRIA) of 2002.

Now, we have discussed TRIA several times in this blog, but it seems that problems continue to linger. The main one, of course, is that TRIA is set to expire at the end of next year, and if a reasonable alternative is not found, insurers will not underwrite terrorism insurance:
The insurance industry is pushing for extending that act past its 2005 expiration to the end of 2007. Without federal backing, the industry says no insurer will provide terrorist coverage for anyone.

U.S. Reps. Michael Capuano and Barney Frank are pushing for the two-year extension, a move being resisted by a cautious Bush administration that wants to review the issue more.

Frank said the commercial real estate industry is pushing hardest for the extension, tokeep Uncle Sam in the business of reinsuring insurers in the event of a terrorist attack.
As the clock ticks down, it will be interesting to see how this issue will be resolved. For now I gotta run and find more election dirt -- I love this stuff!

Wednesday, August 18, 2004

Combating BCP Complacency Through Cultural Change

A couple of days ago I talked about complacency in business continuity planning and suggested that there may be a greater sense of awareness and urgency to get plans done in the U.S. than there may be in the U.K. and Canada. According to a press release that came out today, I could be giving the U.S. more credit than it's due. In a report entitled Disaster Planning in the Private Sector: A Post 9/11 Look at the State of Business Continuity in the U.S. co-authored by AT&T and The Partnership for Public Warning, the authors contend that nearly a quarter of companies in the United States are conducting business as usual without developing, implementing and testing contingency plans. Pretty scary stuff. Scarier still is the fact that the places we might expect to have the greatest degree of compliance rate fairly low on the scale:
"The survey indicated, surprisingly, that New York and Washington, D.C. were among those least prepared. In both cities, nearly 25 percent of companies lacked a plan. South Florida was the most prepared-only 15 percent of business respondents admitted not having a business continuity plan."
It is interesting to note that South Florida exhibits the greatest degree of compliance, due in most part to the fact that emergency preparedness for hurricanes is an annual ritual.

We have used this forum to repeatedly discuss the insurance implications and benefits associated with risk mitigation. However, one thing that we have not yet discussed is our belief that in order for these numbers to improve, business continuity has to evolve from a static playbook into a permanent mindset.

Sure, in the aftermath of terrible disasters firms have taken it upon themselves to put a plan together, but this tends to take the form of a great big playbook that once completed, and passed around for everyone to ooh and ahh at, is permanently placed on a shelf to gather dust. That's simply not the point. Business processes move and change daily, therefore it's impossible that a static plan can adequately address the most contemporary business processes if it hasn't been periodically tested and updated. I think this quote from a recent piece by Michael Croy of Forsythe Solutions Group Inc. nicely summarizes what I'm referring to:
"Disaster recovery and business continuity should be woven into business processes throughout the company. Too often, that planning is relegated to an annual exercise guided by a project mentality. If companies are to remain in compliance with federal regulations over the long term, disaster-recovery and business-continuity processes and data-security measures should be baked into operations and change-management activities."
Understanding that BCP isn't just about IT and static plans is key in adopting the business continuity mindset. Peter Power of Visor Consultants notes in a recent article that Lloyd’s chairman Lord Peter Levene hit the nail on the head when he recently talked about new global risks that threaten corporations:
“I firmly believe that the most successful, least crisis-prone businesses will be those whose boards have shown firm resolve and taken decisive action. Effective, integrated strategies for dealing with tomorrow’s risks require a change in culture at board level now.”
Cross-cultural cultural change -- I like the sound of it already.

Monday, August 16, 2004

The Relevance of FEMA after Charley

In the wake of Hurricane Charley and the task of managing the $11B disaster (a fact that will no doubt wreak havoc among insurers), there was a fascinating article in today's Wall Street Journal about the relationship between FEMA and the Department of Homeland Security, an article I would strongly recommend.

FEMA was set up in 1979 by President Carter to deal with the challenge of keeping government operational in the event of an attack by the Soviet Union. As the influence of the Soviets waned, culminating with the fall of the Berlin Wall, so too did FEMA. In fact, in the early 90's policy-makers began discussing the the agency's permanent closure, as it seemed more and more like a by-product of a bygone era.

This all changed with Hurricane Andrew in 1992. At that time, it seemed as though FEMA was needed more than ever, yet resources were not made available in a timely fashion. As this article points out, FEMA's efforts during Andrew may have played a role in the first President Bush losing Florida to Bill Clinton in 1992. When President Clinton arrived on the scene, FEMA's mandate and rank in the pecking order of federal importance were significantly enhanced.

From '93 onwards FEMA was given the responsibility of providing timely relief to all types of disruptive events, and was firmly grounded in an 'all-hazard' risk approach. Since the terrorist attacks, however, much has changed. For one, FEMA has been rolled into the Department of Homeland Security, an agency created to take a 'terrorism' risk approach. The two philosophies are now at odds and discussion continues as to how to keep FEMA, and its post-'93 mandate relavent at a time when terrorism-risk mitigation strategies trump all.

The telling sign will always be how resources are allocated. Perhaps the destruction and lack of preparation for Charley -- a storm that took a sudden turn right when it wasn't expected -- will force DHS to reassess the role of FEMA in these uncertain times.


This link shows satellite imagery of Charley's devestation -- it's really quite numbing. As of August 19, the following facts have emerged:
Charley's insured losses were pegged at $7.4 billion, down from projections as high as $14 billion derived from computer models
Charley is likely to become the nation's fourth- costliest disaster, after the attacks of Sept. 11, the 1992 Hurricane Andrew and the 1994 Northridge, Calif., earthquake.
Charley will be the second- most expensive hurricane after Andrew, which devastated South Florida at a cost of $26.5 billion, including $15.5 billion in insured losses.

Saturday, August 14, 2004

Complacency in BCP Adoption One Year After the Blackout

One year ago today, I was working at my desk when the power went out. As it was just after 4 in the afternoon, I thought I would pack up for the day and go pick my daughter up from pre-school. It was only after I got behind the wheel of my car did I realize that the power outage may be much bigger than I originally thought.

We've all heard countless stories from that day, and I actually used the opportunity to make my first blog post from a blackberry. A year later we are that much wiser about the vulnerabilities associated with our dependence on external systems, as well as the perils associated with disruptive events. Or are we? Seems as though the answer is not quite. A spate of articles that have come out over the past week indicate that despite our exposure to an increasingly high number of disruptive events, organizations big and small and across several countries still aren't getting the message about the need for adequate preparedness.

In the UK for instance, a recent poll suggests that businesses still remain complacent about disaster planning and business continuity, despite having direct experience with a large-scale event of mass disruption:
A poll of more than 1,000 firms in and around Manchester taken shortly after a serious fire in a BT hub in the city last March reveals evidence of complacency about communications disaster planning...Three quarters of organisations quizzed by Direct Response admitted they would lose sales calls if the event of a similar incident again. Almost one in five (18 per cent) estimated they would lose more than 100 enquiries per day in the event of a repeat performance of the fire. Despite this only a third of the companies polled by Direct Response had a disaster recovery or business continuity plan in place.
A poll that was just released in Canada this past week reveals a similar degree of apathy:
only about half (45 percent) of decision-makers in Ontario's medium to large-sized businesses are confident that government leaders have taken the necessary steps to ensure another blackout or similar state of emergency will not occur. Despite the immense disruption in business they experienced last year, only a third (30 percent) of the organisations surveyed have a full-blown business continuity plan in place
If there is a silver lining to this, it does appear that on the data side (particulary data backup) although some gaps may still remain, the message seems to be getting through.

It appears as though the key distinguishing factor between adoption rates among U.S.-based enterprises and those in places such as the U.K. and Canada is that organizations in the U.S. seem to have a bigger picture understanding of the implications and the business rationalization for preparedness:
"The regulations are driving the need as well...In this day and age, if you don't have a DR plan in place, you are being irresponsible as an employee. So the Big Blackout was just icing on the cake — the DR engine had started to move well before that. The other thing to realize is that even mid-size companies are evaluating products in this area. And mercifully, the technology curve has caught up such that DR does not need to be the prerogative of only the rich and few."

Enterprise Strategy Group analyst Peter Gerr sees two trends accelerating the adoption of disaster recovery and business continuity solutions: the need to comply with the new regulations, and the development of lower-cost alternatives to enterprise-class solutions.
Compliance -- especially to more stringent requirements of insurance companies -- in our opinion, will be the biggest driver of greater adoption of enterprise-wide business continuity thinking. It will be interesting to see the progress we have made on the second anniversary of the big blackout.

Tuesday, August 10, 2004

Duck Tape & Covers

Quantum Sleeper is a high-level security system designed for maximum protection in various hostile environments. Quantum Sleepers can also be fitted to provide protection from destructive forces of nature such as tornados, hurricanes, earthquakes and floods. Do we feel safer, now?

Wednesday, August 04, 2004

The Complications of Code Orange

As predicted, Sunday's elevation of the Homeland security advisory system to code orange, has elevated chatter about playing politics to code red. While critics accuse the DHS (and by extention the administration) of crying wolf, Tom Ridge remained steadfast in his department's position, stating: "We don't do politics in the Department of Homeland Security". New information released Tuesday points to fresh evidence that prompted the elevation of threat levels.

The media frenzy surrounding these announcements is clearly out of hand, and in fact verging on the absurd. So out of hand in fact that the media now discusses the finer points of security-threat-issuing fashionware, as evidenced by this article appearing in the Washington Post discussing the overly casual appearance of officials in D.C. after the threat warning was elevated:
Mayor Anthony Williams arrived for his news conference in a gray sportcoat, black trousers and white polo shirt. He was not wearing a tie. He was flanked by Police Chief Charles Ramsey and Fire Chief Adrian Thompson, both of whom looked as though they'd come sprinting in from their back yards. Ramsey was wearing a striped polo shirt and a Gonzaga lanyard. Thompson wore a Hawaiian shirt, khaki shorts and sandals...Alone, Williams' casual attire was polished and professional...But the men flanking him were so startlingly informal that the overall impression was not of a fast-acting crew, but of one that had been caught off guard. It was as though the dinner guests arrived to find the hosts with wet hair and uncooked hors d'oeuvres. Their informal appearance did not reflect the seriousness of the message or the level of their preparedness. They lacked the benefit of symbolism's power.
The reason for the uproar is directly tied to one critical factor: the economic impact of increasing threat warnings. Whenever these levels are elevated, the flow of work (especially getting to work) is slowed to a snail's pace. The costs associated with beefing up security with extra bodies, cordoning off city streets and conducting thorough spot checks of every person walking into a secure zone must be substantial, as demonstrated here:
Authorities banned commercial traffic from using the Holland Tunnel to travel from New Jersey into Lower Manhattan, and rerouted it to the Lincoln Tunnel and George Washington Bridge, which cross the Hudson River farther north of the financial district...As part of the increased security, police around the U.S. Capitol have begun inspecting every car that drives by the Capitol and its office buildings.
The impact on tourism, especialy in places like New York of D.C. - centers that heavily rely on summer tourism dollars - is also signficant. Given these factors, it ususally comes down to the old principles of cost-benefit analysis - to elevate (and pay the piper) or not to elevate (keep everyone in a state of splendid ignorance).

Lost in the discussion this week, however, was the whole issue of our continued reliance on the location-based work model, where employers and employees alike still operate under the belief that the only place working affairs can be conducted are in the cubicles of offices. Secretary Ridge yesterday commended those who showed up for work, a statement suggesting there were many who chose not to come to work - again, another economic impact of code orange, as well as another anecdote pointing to the inevitability of a distributed workforce. Workplace Continuity seems to be looming on the not too distant horizon.

Monday, August 02, 2004

Balancing Politics with Our Need to Remain Informed

Shortly after DHS Chief Tom Ridge left the podium after announcing the threat level in the U.S. was being elevated to orange, I received a call from a friend in Ohio who thought the press conference was just about politics. Democratic numbers were up, DHS was created under President Bush's watch, and Ridge (a buddy of the President's) used the opportunity to prick a pin in the Democratic Party's bubble of euphoria from last week.

Sure, in the fuzzy afterglow of last week's Democratic National Convention where polls showed a marginal increase in John Kerry's approval ratings - par for the course after any convention - having Ridge remind Americans of the uncertain times we live in might remind some that security and strength trumps everything, and thus take a little shine off of those numbers (A Gallup/CNN poll from yesterday actually shows Kerry's numbers have indeed dropped - but that's a discussion for another forum). Turned out it wasn't too long before Howard Dean began echoing the same sentiments as my buddy, when he appeared on CNN:
Security policy has been a major issue in the campaign and some Democrats were quick to wonder if politics was purposefully getting mixed up with national security. "I am concerned that every time something happens that's not good for President Bush he plays his trump card which is terrorism," said Howard Dean, a former Democratic contender for the White House. "It is just impossible to know how much of this is real and how much of this is politics," the former governor of Vermont told CNN on Sunday.
The larger point however, is that we are living in a time when not only security threats are at an all-time high, but so too are political divisions. When these two factors are at play (especially during an election year) such news events are bound to be labelled by some as political. We need to take a step back and ask ourselves fundamental questions about how much information we require in order to be prepared go about our daily routines. It would seem to me that if a department has been established to maintain national security and it becomes aware of a potential threat, wouldn't it be in the national interest to inform?

Ridge has previously been criticized for being vague about events and locations of potential attacks. On July 8, for instance, he spoke about looming threats that might postpone the election but was unable to offer any specifics
"We lack precise knowledge about time, place and method of attack, but along with the C.I.A., F.B.I. and other agencies, we are actively working to gain that knowledge"
The vagueness of the message combined with it's timing - two days after John Kerry tapped John Edwards as his running mate in the upcoming election - have led many anti-Bush factions to dismiss such announcements as pure political maneuvering.

Unlike the previous warning, this one was very targeted as it pinpointed five seperate locations in New York, New Jersey and D.C.: The IMF, The World Bank, Prudential Financial, Citigroup, and the New York Stock Exchange. In this situation Ridge and those who will follow in future administrations will perpetually be walking the tightrope between vagueness (too little info for a cynical public to take seriously), and detail (too much info to reveal to the bad guys).

Political or non-political, I put a higher premium on being informed than being in the dark. We'll have more to discuss on the location/facility aspect of these warnings on the blog this week. Stay tuned.