The recent attacks on the World Trade Centre in New York were without precedent and unforeseen. They illustrate the vulnerability of commercial property in the face of a premeditated attack.

In rec ...

The recent attacks on the World Trade Centre in New York were without precedent and unforeseen. They illustrate the vulnerability of commercial property in the face of a premeditated attack.

In recent years, the UK has witnessed terrorist action. In 1996, a bomb exploded in London's Docklands and many companies without a business continuity plan were forced to close down.

However, companies can be prepared for events like this and things can be put into place to tackle disasters that may result in loss of life, material damage, loss of working time and destruction of critical business data.

Business continuity planning is the process of assessing risk and identifying the areas of exposure before something goes wrong and putting forward practical recommendations to reduce the exposure or its effects. What should accompany this is a disaster recovery plan, detailing precisely what should be done in the event of a disaster to ensure minimal disruption to the business, its staff and cash flow.

Being aware of risk is the essential ingredient with which to approach business continuity. A business impact analysis can help to pinpoint the greatest threats to an organisation. This is used to establish how long an interruption to business can be tolerated before the effects become inconvenient, serious or critical.

Businesses need to be clear about the value of what any given loss would mean to them. A value needs to be attributed to each risk and then a ranking of the likelihood of each risk occurring. Consequently, companies will know which risks they should be better prepared for and where they should be targeting their investment in measures to protect against terrorism.

A particular issue is time. How long will it take for a company to get going again after an incident? The longer it takes, the greater the risk a company's competitors will fill the void.

Preventing an attack
In practical terms, what can a company do to prevent a terrorist attack? Employees are valuable as an organisation's eyes and ears, reporting any suspicious activity, being vigilant about unattended packages and challenging unidentified strangers entering a building. Telephonists should be taught how to handle bomb threat warnings, taking details and any code words.

The area outside a building and reception areas require attention to maintain security. Bushes and shrubbery should be kept under control, as they offer prime areas for devices to be hidden. Maintenance hatches leading into buildings need to be locked when not in use and furniture in reception is best kept minimal and open in design.

In terms of construction, a glass-fronted building can be protected to some extent with shatter-resistant film. Blast curtains and shutters provide an extra level of protection.

Access to a building can be controlled in different ways, such as swipe cards, digital keypads and iris, fingerprint or voice recognition entry authorisation. Manned entrances and turnstiles also add to security. However, the integrity of these measures is only as good as their management.

Managing the influx of visitors is another obvious, but often neglected, area of protection. Use of signing-in books and visitor badges should be strictly adhered to and visitors should be restricted to appointments only, with staff accompanying them at all times.

Get out the guards
Security guards at reception and conducting patrols around buildings and car parks - complete with two-way communication - are an effective option as both a deterrent and investigative resource. By law, anyone entering a company's premises can be searched and, if necessary, entrance refused.

CCTV provides 24-hour security, covering vital areas. More advanced options offer infra-red lighting and video recording. Both security guards and CCTV can be a shared investment in an area where safety measures would benefit several companies located close to each other.

Basic elements, such as alarms, internal and external lighting and high-quality window locks, especially at ground floor level, provide an effective front line of preventative security.

Once inside the offices of a company, there are measures to help minimise loss in the event of an attack.

A clear desk policy encourages staff not to leave any important items where they may be damaged in the event of a disaster. Shielding computers with protective covers at the end of the day means equipment has more chance of being salvaged following an incident.

Electronic data should be backed up regularly, both on-site and, if possible, at a secure location off-site. The importance of this cannot be emphasised enough.

Brief your staff
In the event of a disaster, comprehensive advanced planning can be a saviour and staff should be fully briefed on what to do. In a worse-case scenario, recommencing operations might involve staff casualties, contacting families of injured or missing staff, lack of access to a building, handling media interest, managing disruption to work in progress and recovering from damage to essential equipment and materials. Looting, loss of communications facilities and loss of power, leading to a potential corruption of data, can all affect a firm's processes and delay a return to normal operations.

The preparation of a disaster recovery plan, including formalised procedures, will assist an organisation to establish short-term recovery arrangements for a minimum service level and enable normal working to be resumed as soon as possible. A business must take ownership of such a plan at the highest level, test it regularly and revise it to take account of any internal changes.

  • Mervyn Harris is product manager, commercial product development at Norwich Union.

  • Topics