Download Business resilience - Planning considerations document

Business resilience
Planning considerations
Contents
Acknowledgements
1
About this document
1
Common consequences
2
Severe weather
5
Electricity network reliability
7
Telecommunications failure
8
Human diseases (including pandemic flu)
10
Civil disorder
12
Terrorism
14
Cyber‑security
17
Useful business networks
19
Acknowledgements
The following document is the result of the joint effort of a number of parties representing the full spectrum of the
Square Mile’s business and emergency response communities.
In particular, the workshops which led to the production of this document were made possible thanks to the
contributions from the following organisations:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Atos
Bank of England
British Transport Police
BT Group
City of London Police
Environment Agency
Greater London Authority
Lloyd’s
London Chamber of Commerce and Industry
London Fire Brigade
Met Office
National Australia Bank
NHS England
Public Health England
Roger Gomm Ltd.
Sullivan & Cromwell
UK Power Networks
Vodafone
The City of London Corporation would also like to thank all those people and organisations who contributed their
time and expertise to the workshops and to the review of this document. In particular, Giorgio Honey from the
City University and Ana Dju from the Skinners Academy who contributed to this project as part of their student
placement and City Business Traineeship, respectively.
Special thanks go to the specialist security and building resilience practices within Deloitte LLP for their kind support
producing and printing this document.
About this document
This document is the product of the information gathered through a series of workshops around the
key risks facing the Square Mile. These workshops brought together the members of the City of London
Resilience Forum and representatives from a wide range of City businesses.
This project started as an initiative of the City of London Resilience Forum and was initially led by a
sub‑group tasked with looking at the City Risk Register. This working group then amended its remit to
look at the production of business resilience planning considerations.
The aim of this group was to use the risk register for the Square Mile to produce a set of planning guidelines
that would enable businesses to ensure they were planning for the potential impacts of emergencies that
had been identified in the City Risk Register.
The planning considerations contained in this document are inspired by the National Resilience Planning
Assumptions produced by Cabinet Office as part of the work it does at a national level. The first section covers
the key common consequences that are likely to arise from most emergencies. This is followed by the impacts
associated with each key risk theme. The last section is a compilation of useful networks that businesses can tap
into.
Business resiliencePlanning considerations 1
Common consequences
Through highlighting likely common consequences
throughout the seven risk themes identified, this
document aims to avoid duplication and provide
businesses with a quick reference guide for those
impacts which are common to most risks faced by the
Square Mile.
What to prepare for?
Disruption to your own resources:
•Overstaffing/resourcing (staff wishing to stay
and help, rather than go home and rest to take over
the next shift).
•Understaffing/supply chain disruptions (inability of
staff to get to work or unwillingness of staff to go
back to the area following an incident).
Disruption to transport affecting:
•The ability of staff to get into work or get home.
•Delivery of goods and materials.
•Rail and tube services.
•Road traffic.
Transport disruption has been highlighted as the key
common consequence affecting businesses as a result
of nearly all the risks identified in this document.
An appendix to this document focusing on this type
of disruption and on incidents on the transport
network will be produced in 2014.
Disruption to utilities affecting:
•Ability to maintain services and a working
environment.
•Communication with customers.
Financial costs including:
•Cleaning and building maintenance.
•Over‑exhaustion of staff who have not been able
to have enough rest.
•Multiple invocations of syndicated disaster recovery
sites (and the potential for diminished provision from
suppliers).
•Competing demands for services/supplies required
for business recovery.
Some businesses found that these measures
helped them be better prepared
•Having processes in place to dynamically identify
reliable sources of information and being prepared
to take decisions with incomplete information/
unknown facts.
•Ensuring your workers are sufficiently trained
in evacuation and emergency related procedures.
Reviewing how often you train staff and how often
you exercise procedures.
•Consider producing a personal emergency procedure
manual for staff that identifies hotline telephone
numbers, evacuation procedures, informational
websites and emergency plans, etc.
•Building repairs and site recovery.
•Rising insurance premiums and excess.
•Legal.
•Knowing the extent of your business’ duty of care
towards your employees and checking what your
contractors’ arrangements for caring for their
employees are (particularly contractors’ staff working
in your building).
•Temporary staff replacement and staff welfare.
•Emergency aid, assistance and charitable
contributions.
•Ensuring all your building maintenance plans,
evacuation routes, key infrastructure points
i.e. generators, water mains, etc. and floor plans
are laid out in an easy to understand format and
easily accessible in the event of an emergency.
•Reviewing your own evacuation procedures and
checking if, when fire alarms are triggered, you
are able to direct staff away from potential danger.
2
•Defining what your business recognises as a
short‑ and long‑term risk. Also considering the
potential duration of disruptions and the effect
this has on your business critical systems.
•Being sure to organise all important and emergency
critical information if prepared, accessible and
resilient to risks.
•Considering the physical layout of your office
structure and being sure to split up key groups of
employees to minimise business‑critical departments
from being disrupted by the same risk.
•Cross‑training staff in business‑critical procedures
to ensure minimal disruption when key employees
are absent.
•Being sure to update and test your emergency/
recovery plans regularly.
•Reassessing the situation regularly and considering
providing updates to staff and key partners.
•Documenting the decisions of the various
teams involved in dealing with the situation and
incorporating any lessons identified into your
existing plans.
•Using consortiums, forums, unions, collectives,
meetings and workshops to understand what your
peers are doing to address and prepare for the
same risks.
•Being sure to liaise with the emergency services to
find out what they are expecting from your business
continuity plans.
How the City of London Corporation can assist you
The City of London’s Security and Contingency Planning
Group is available to assist businesses in the City with
the development and exercising of their business
continuity arrangements.
Assistance is provided in the following areas:
•Information on the major incident response
arrangements within the Square Mile.
•Presentations to staff and management on any
aspect of business continuity.
•The development of exercises and, if appropriate,
participation in those exercises.
As an independent third party, the Security and
Contingency Planning Group is also available to discuss
a company’s plans and arrangements in strictest
confidence.
For organisations based within the City boundary
there is no charge for these services.
The City of London has plans in place to support the
community and the emergency services in the event
of such an incident.
For more information:
•Email: [email protected]
•Visit our webpage:
www.cityoflondon.gov.uk/businesscontinuity
•Follow @sqmresilience on twitter
•Checking whether your workplace recovery provider
will allow you to invoke their services in scenarios
covered in this document.
•Considering the possibility of your staff working from
home and implementing procedures that allow them
to do so.
•Consider entering into reciprocal arrangements with
clients or non‑competitor organisations to use their
space/facilities.
•Ensuring you identify critical processes and key
people early (and regularly update this) as it
could help your firm understand its continuity
requirements better.
Business resiliencePlanning considerations 3
How the City of London Police can assist you
Counter Terrorism Security Advisers (CTSAs) provide
briefings, advice and presentations on:
For more information:
•Email: (counter‑terrorism)
cts@city‑of‑london.pnn.police.uk
•Hostile reconnaissance.
•Protective security against terror and
domestic extremism.
•Email: (community policing)
[email protected]
•Visit our webpage: www.cityoflondon.police.uk
•Contingency planning and response to attacks.
•Follow @CityPolice on twitter
•Searches, evacuation and suspect packages.
•Post room security and telephoned bomb threats.
•Personnel, employment screening and cyber‑security.
•In‑house table‑top exercises.
How the London Fire Brigade can assist you
The London Fire Brigade’s Dowgate Fire Station (in
the City) regularly hosts a City Business Engagement
Workshop. This is a free, interactive session designed
to assist facilities managers and fire safety managers to
understand the services that London Fire Brigade offers
to City business.
•Other aspects of security.
We welcome enquiries and are happy to provide
bespoke advice to meet your needs.
The City of London Police also runs monthly Project
Griffin awareness days for security and front‑of‑house
staff, and Project ARGUS counter‑terrorism table‑top
exercises, as well as other periodic events.
The workshop includes advice on fire risk assessments,
improving incident response, damage control and how
you can manage your organisation’s fire systems more
efficiently. Particular attention is paid to the reduction
of false alarms, which will not only improve your
Business Continuity but ultimately make your business
a safer place for your staff and customers.
For more information:
Additionally, we offer a range of services for small‑ and
medium‑sized enterprises including the newsletter City
Business Connect.
Within the Community Policing section, the Business
Engagement Team works with all Square Mile
businesses (including small‑ and medium‑sized
enterprises, such as shops, cafés, pubs, markets
and churches). The team deals with local issues and
concerns raised by businesses and are able to offer
assistance on how to protect your business and
employees against crime.
The officers and PCSOs within this team aim to increase
awareness and cooperation between businesses and
the police to reduce and tackle crime.
4
• Email:
LFBCityBusinessEngagementDay@london‑fire.gov.uk
Severe weather
Severe weather can take a variety of forms and at
times can cause significant problems and disruption
to everyday, normal life. The forms of severe weather
identified in the National Risk Register are: storms and
gales, low temperatures and heavy snow, heat waves,
drought and flooding. The risk of flooding from the
river Thames is very low and, for the Square Mile,
the most relevant type of flooding is the one linked
with heavy rain, known as surface water flooding.
The disruptive effects of specific types of severe
weather can vary widely depending on the event.
For common consequences of the various types
of severe weather, refer to the first section of this
document.
•Low temperatures and heavy snow
–– Very low temperatures pose a health risk to
your vulnerable staff or their family members.
–– School closures.
–– Ice/snow on pavements and accumulating
on surfaces or temporary structures.
–– Temperature in your building falling under
minimum acceptable limits (around 16°C)
and forcing building closures.
–– Hotels could face a surge in demand and
staff disruptions.
What to prepare for?
•Heatwaves
•Flooding
–– Damage to property (water ingress or floating
vehicles/debris hitting your building).
–– Sewers bursting (contaminated water entering
your premises).
–– Pedestrian subways filled with water.
–– In worst case scenarios it could take up to five years
to recover from the damage to the transport
infrastructure (including the Tube).
•Storms and gales
–– Very high temperatures pose a health risk to your
vulnerable staff or their family members.
–– Increased power demand as a result of
building cooling.
–– Members of the public seeking refuge in your
building’s public areas.
•Drought
–– Burst water mains due to lack of water pressure.
–– Water shortages leading to building closures due
to health and safety concerns.
–– Trees blown down blocking streets/access to
buildings and crushing cars.
–– Collapse of scaffolding, cranes, billboards or other
temporary structures.
–– Once period of bad weather is over, the airlines will
be under pressure as there is a surge in demand
for flights.
Business resiliencePlanning considerations 5
Some businesses found that these measures
helped them be better prepared
•Considering whether your emergency procedures
cover looking out for severe weather warnings
or the effect of disruption/damage caused by
severe weather.
•Exploring the logistics of relocating staff to better
insulated/heated areas of your building (including
procedures for moving ICT equipment) and using
portable heaters to raise the temperature in smaller
sections of your building.
•Considering whether your emergency procedures
include communicating severe weather warnings
to staff and identifying safe routes out of danger
for employees in affected areas of your building.
•Understanding the specific flooding risks that cover
your location.
•Consider engaging with your key suppliers to make
sure they also receive warnings from the Environment
Agency and the Met Office.
•Checking what temperature range your key
building systems can operate within (and where
possible incorporating mitigating measures in your
incident‑management procedures).
•Reviewing whether your HR policies and procedures
cover assistance that might be needed by
members of staff affected by flooding (relocation
considerations, financial assistance, etc.).
•Understanding what windows in your building can
be opened (and how to open them) to enable natural
ventilation of your building.
•Raising awareness amongst your staff of the ‘Staying
Cool in the City Map’ (which provides a list of cool
public spaces for people to use as refuge during a
heat wave).
•Identify where the public highway ends and your
property starts, and what the gritting/snow removal
arrangements for streets/pavements around
your building.
•Engaging with local hotels in advance if you need
accommodation for critical staff near a particular
location (some hotels might be able to provide
‘Z’ beds in function space to cope with demand).
•Checking the location of your electrical systems/
emergency generators and ensuring they are not
at risk of flood.
•Using refurbishment projects/property
redevelopments as opportunities to protect your
building from the potential effects of severe weather.
6
•Making sure key staff in your business subscribe
to the Environment Agency’s flood warnings
(fwd.environment‑agency.gov.uk) and to the
Met Office’s severe weather warnings (either via
twitter: @metoffice or through their website:
www.metoffice.gov.uk).
Electricity network reliability
Being part of the critical national infrastructure,
the electricity network is built to withstand a series of
impacts, including winter weather. Robust emergency
plans are in place to help it deal with lightning, strong
winds, flooding and other incidents that can sometimes
affect power supplies. The resilience of the power
network serving the City of London is rated as one of
the best in the world, with only a 3% failure rate on
any one component.
Recognising this level of resilience, this sections
deals with the unlikely risk of failure to the electricity
supply that could occur as a consequence of industrial
accidents, technical failure, severe weather or
malicious activity.
What to prepare for?
Some consequences of electricity supply disruption are
specific to large‑scale disruptions, but most would still
be relevant for localised disruptions (which are more
likely to occur).
•Widespread darkness (your building might stand out
as one of the few buildings with power).
•Excess demand could lead to shortages of fuel
for generators.
•Increased calls for people trapped in lifts (emergency
services will attempt to recover costs for this type
of call).
•Loss of electricity supply to areas not on generators/
whole building (if no generators on‑site).
•Disruption to key safety features of your building
(lighting, fire alarms, public announcements system,
CCTV, access control system, etc.).
•Alarms being triggered/security features defaulting to
open mode.
•Businesses with sufficient generators could be asked
to assist in taking demand off emergency power
being sent out by power supply companies.
•Knock‑on impacts on other infrastructure (disruption
to telecommunications, specially voice‑over‑IP
systems and mobile network; road signals, transport
network, petrol stations, etc.).
•Disruption to cash machines and point of
sale terminals.
•Staged resumption might see fluctuations in power
supply.
•Energy supply shortage or transmission constraints
leading to rota disconnections.
•Uncontrolled shutdown of key business systems
(leading to data corruption/loss of data).
Some businesses found that these measures
helped them be better prepared
•Checking which substation(s) supply your business
(some buildings might supply power from their own
substation to other businesses).
•Checking the type of power supply that feeds
your business (different ways of connecting to
the electricity supply network have different levels
of resilience).
•Making sure you test your generators and ensuring
all your critical business services can be serviced
by them.
•Reviewing your business continuity arrangements
to ensure they cover widespread power failures.
•Speaking to your neighbours to understand whether
they have generators and how they expect to
coordinate fuel deliveries with your building.
•Consider using social media for communicating
with staff.
•Consider incorporating access to the Cloud’s City
Wi‑Fi network (an app can be downloaded to enable
smartphones to automatically connect to it).
•Consider testing the tolerance of your ICT and
other electronic equipment to voltage fluctuations/
frequency changes (including your lifts, alarm systems
and access control systems).
•Consider using localised uninterrupted power supply
(UPS) units for critical systems to allow for continued
uptime or provide a buffer for controlled shutdown
and protection of data.
•Knock‑on impacts on other utilities (such as water)
and their ability to provide a service.
Business resiliencePlanning considerations 7
Telecommunications failure
The key risk in this theme centres on significant
disruptions leading to loss of service by more than one
provider (including land lines and mobile networks)
for up to three days.
•Other systems that could also be affected include:
–– Traffic light control and traffic monitoring systems.
–– Traffic message boards.
Significant disruptions affecting one provider
could affect other operators due to the level of
interdependencies within the sector. It is also
anticipated that a major incident in London will place
the mobile telecommunications network under a level
of stress similar to those experienced during New Year’s
Eve, potentially over a longer period of time.
–– Bus monitoring and time information at bus stops.
–– Water monitoring, in pipes, rivers, reservoirs and
at pumping stations.
–– Electricity use monitoring and remote switching.
What to prepare for?
–– Panic alarms for vulnerable people.
•Loss of communications infrastructure may
impede your ability to communicate with a
dispersed workforce.
–– Panic alarms for victims of crime.
•‘Home working’ as a recovery solution might
be unavailable.
–– Cash in transit tracking.
–– Electronic TAGs for criminals.
–– Parcel tracking for courier services.
•Direct impacts involve the loss of the following:
–– Sat Nav – live traffic information.
–– Voice.
–– Location‑based services.
–– SMS.
–– Health appointment and pill‑taking SMS alerts.
–– MMS.
–– Internet.
•Businesses might also experience disruption to
the following:
–– Machine‑to‑machine data.
–– Data for vehicles’ on‑board computers.
–– Cash machines.
–– Chip and PIN machines (and other point of sale
terminals).
–– Smart metering (gas, electric and water).
–– Vending machines – restock information.
–– Ticket machines – including payment systems.
8
–– Blood pressure monitoring and other home
medical systems.
–– Near field communication – money transfer via
mobile phone.
Some businesses found that these measures
helped them be better prepared
•Ensuring staff have ‘pre‑defined’ instructions on
how to contact your organisation in the event of
loss of telecommunication or inability to make
contact via mobile phone (e.g. landline call into a
recorded message).
•Consider having ‘runners’ to help you convey
messages between your key offices (if multi‑sited)
or between your office and your key partners/clients.
•Consider having default actions that are carried by
your staff in absence of communications from your
organisation (e.g. stay at home) and await further
instructions or report to alternative premises.
•Consider making critical individuals (e.g. could
be those with a need to communicate with large
numbers/groups of staff or important client
relationships) more resilient to communication
interruption (rather than locations) by equipping
them with items to enhance their capability to stay
in contact (e.g. satellite phones, mobile router,
small home generator, iPads, etc.).
Business resiliencePlanning considerations 9
Human diseases (including pandemic
flu)
Human diseases can present themselves in a wide
range of forms. For this reason, the impacts associated
with these can vary considerably from one outbreak
to another.
Even though the outbreak of H1N1 influenza in 2009
(known as ‘swine flu’) was milder than the reasonable
worst‑case scenario that the UK Government’s plans
considered, this does not mean the severity of future
pandemics will be the same as the ‘swine flu’ outbreak.
The reasonable worst‑case scenario for assessing the
potential impacts of this risk is based on the 1918–
19 ‘Spanish flu’ outbreak.
A pandemic is potentially a unique event in terms
of planning in that it would result in cases of disease
across the whole world. This could have particular
challenges for multinational businesses.
Even though pandemic influenza remains the most
significant civil emergency risk for the United Kingdom
as a whole, seasonal diseases (such as Norovirus) could
also present a risk to businesses. These diseases are not
likely to cause death but their ability to spread through
the workforce and lead to staff absenteeism shouldn’t
be underestimated.
What to prepare for?
–– Impacts on the wider population could result in the
following:
• School closures and the resulting absence
of staff.
• Key staff unwilling or unable to travel to work
(staff who are worried despite being well).
• More staff requiring time off to care for relatives
(not just the traditional staff with caring
responsibilities).
• Staff requiring compassionate leave/counselling
for dealing with bereavement.
• Increase in business activity (for companies
providing services like health insurance or
medical supplies or within specific sections within
the business, such as HR).
–– Staff shortages in certain business‑protection
functions could lead to changes in the threat
landscape (potential increase in opportunistic
attacks seeking to exploit financial, cyber‑security
or physical security vulnerabilities).
•Outbreaks of infectious diseases (including
seasonal illnesses such as Norovirus)
•Pandemics:
–– Large‑scale staff absenteeism (up to 10% of
the workforce during the peak, and 50% over
the duration).
–– A pandemic wave could last 15 weeks,
with multiple waves.
–– Staff absences could affect key critical business
cycles and distribution points.
–– Whole teams affected at one time.
–– Impacts not limited to a single geographical region
(consider impact on international branches of your
business/headquarters or the operations of your
critical suppliers).
–– Staff disruptions in key infrastructure providers
could affect delivery fleets, public transport,
specialist maintenance contractors, outsourced
media relations/press teams, etc.
10
–– Disruption usually lasts for 48‑72 hours but
re‑infection is a possibility (staff still in the
contagious stage of the illness returning to work).
–– Whole teams may be affected at the same
time (contagion amongst those working in
close proximity).
–– Impact could be limited to a single business
(so your business might not be able to benefit
from a relaxation of rules as there is no wider
systemic impact).
–– Norovirus is a seasonal illness that occurs every
year. Once caught, it results in 48‑72 hours
sickness, yet return to work should be delayed for
48 hours after last vomiting. Having caught it once
does not provide immunity for more than three
months. Half of the people exposed to the virus
will catch it.
Some businesses found that these measures
helped them be better prepared
•Consider having staff profiles to help to
identify‑specific challenges and assist in management
of the situation (where they live, route to work,
staff with young children or elderly parents, etc.).
•Consider having clear HR roles and responsibilities,
including plans for dealing with the specific
challenges associated with pandemics.
•Familiarising key staff with Public Health England
website (www.gov.uk/government/organisations/
public‑health‑england) as a source of public
health advice (including real‑time guidance
during outbreaks).
•Referring to UK Government advice when reviewing
your pandemic plans: www.gov.uk/government/
publications/pandemic‑flu‑checklist‑for‑businesses.
•Advancing your understanding of your supply
chain and how they would respond to disruptions
and how they you can work with them to mitigate
any impacts.
•Consider using office respiratory hygiene (catch
it, bin it, kill it) and use of hand sanitiser as a
business‑as‑usual practice. This will reduce other
types of infection and will also raise awareness
among staff, reducing rate of spread of sickness at
the workplace.
•Exploring your home working options, as this could
be the best strategy for dealing with most impacts
of pandemics (provided staff are familiar with the
systems used for remote working and the technology
is robust enough to cope with large numbers of staff
connecting at once).
•Understanding minimal work conditions (what
needs to be provided to home workers for working
remotely over an extended period) and how to
provide any equipment required.
•Considering options like transferring work to regional
offices that might not be as badly affected.
•Developing a good understanding of your physical
office set‑up (including proximity of key employees)
and having plans for breaking up key departments
in order to minimise contagion.
•Considering shift working/staggered office hours
in order to split the times people are in the office.
•Exploring cross‑training on key skills across your
workforce.
•Identifying latent skills in your workforce (i.e. people
who used to do a specific job or who have acquired
a specific set of skills outside work).
•Considering the cumulative effect of simultaneous
impacts on multiple locations.
•Frequently updating your plans – with key emphasis
on having flexible arrangements.
•Considering how local public health advice could
vary between countries (if you have operations in
more than one country, your workforce might get
mixed messages).
•Bearing in mind that antiviral drugs would have
a limited preventative effect, so stockpiling might
not be the best option for companies. The UK has
a stockpile of influenza antivirals that would be
available to patients in a pandemic.
•Considering the impact of the potential uneven
distribution of medicines/vaccines (this might vary
depending on the region/country staff are based in).
•Taking into account that disposable face masks offer
very limited protection outside of the health and
social care environment – they are not recommended
for the wider public and whole workforce in the UK.
Those working in high‑risk areas (such as health and
social care) are normally provided with specialist
protective equipment and trained in its adequate use.
•Considering the potential duration of a pandemic
could be up to six months (with several ‘waves of
the illness’).
•Ensuring your HR policies and procedures are
flexible enough to help you cope with multiple
bereavements, prolonged staff absences and health
and safety risks specific to this type of scenario.
Business resiliencePlanning considerations 11
Civil disorder
The risk of public disorder is something most
organisations in the Square Mile have been exposed to
in one form or another. The ways in which public order
incidents manifest themselves can prove challenging
to both law enforcers and businesses/organisations.
It often occurs following a trigger event, yet it is not
always possible to identify it as such at the time it
happens. The unrest that is created from this trigger
can result in further sporadic actions, which could
include rioting, looting, vandalism, protest, violence
and arson.
What to prepare for?
•Disruption to deliveries/collections (including mail,
office supplies and refuse collections).
•Interruptions to your supply chain.
•Presence of trespassers/unauthorised people in your
own premises.
•Demonstrators inside business premises.
•Public transport disruptions (including heavy traffic).
•Potential for arson attacks on company vehicles
or other corporate assets (including buildings).
•Broken glass (and other damage to building) at street
level and lower floors.
•Misinformation caused by rumours spread on social
media/networking sites, news channels, etc.
•Multiple invocations of recovery sites (this could lead
to syndicated space provision not being available).
•Neighbours protecting their property better
could mean your building becomes a more
vulnerable target.
•Difficulties protecting large glass areas, boarding‑up
properties, fencing areas or deploying crowd barriers
at short notice.
•Blue light services’ resources might be tied up dealing
with the situation elsewhere or access to premises
could be made difficult due to security concerns –
the police would need to provide protection to fire
brigade and ambulance service crews attending
the scene of disorder (these could cause delays to
their response).
•Delays to extra security staff (additional staff required
at short notice could be affected by transport
disruptions or the supplying company might not have
enough resources to meet a peek in demand).
•Following the disorder the following impacts could
be expected:
–– Need to arrange for protection to damaged areas
of buildings.
–– Extra cleaning costs.
–– Legal costs.
–– Insurance claims/requirement to review cover.
•Staff absences (both linked to the transport
disruptions or due to disorder near their homes).
•Additional support required by lone workers or by
staff living in affected areas (this could include help
with temporary relocation).
•Reputational impacts of staff taking part in violent
disorder (could even be wearing corporate uniforms).
•Difficulty in gaining access to key markets (like the
Lloyd’s insurance market).
12
–– Limited availability of specialist glass providers/
stocks, leading to delays in replacing damaged
glass panels.
–– Similar problems replacing other components of
building damaged during the disorder.
Some businesses found that these measures
helped them be better prepared
•Consider training staff to perform key roles such as:
–– Press liaison/spokesperson.
•Consider checking with your third‑party recovery
sites whether they would allow an early invocation
in preparation for potential disruptions.
•Considering how to protect your staff if evacuating
due to an arson attack.
–– Point of contact with protest groups.
–– Point of contact with emergency services and
local authority.
–– Point of contact with neighbours.
•Engaging with your neighbours to understand how
they are preparing for the potential impacts and to
share horizon‑scanning information.
•Understanding the risk of your business, clients
or neighbours being targeted by campaign
or protest groups.
•Checking where your premises start (i.e. what is
private land and what is the public highway or
an area the responsibility of a third party).
•Keeping an up‑to‑date list of key companies you
would use for the kind of supplies you would
need to protect your business (including the time
it is likely to take them to reach you – even with
transport disruptions).
•If responsible for buildings where works are being
carried out, ensuring a scheme of works can be
produced if the need arises.
•Considering what you could do to protect large glass
areas of your building and what you would need
to do to get them repaired if they were damaged.
–– Staff welfare.
•Ensuring you have identified key sources of information
(such as City of London Police alerts and verified
twitter accounts for emergency responders).
•Knowing the law (including what your security
staff can and can’t do when faced with protesters
or trespassers).
•Considering how your arrangements allow you
to provide the right information to the police
(including providing evidence of the impacts of
protests on your business).
•Exploring how your business would identify potential
triggers for civil disorder and the kind of actions you
would take.
•Consider joining forums to share information
and intelligence.
•Exploring how your business would seek legal remedy
if needed (including how to obtain pre‑emptive
measures from a judge).
•Understanding what contractors and the local
authorities would do in preparation for planned
protest (where there might be a risk for violence).
•Consider having arrangements to allow your
company to dynamically assess a civil disorder
and to take action accordingly.
•Consider attending a business engagement day
at Dowgate Fire Station to familiarise yourself with
the London Fire Brigade’s response.
Business resiliencePlanning considerations 13
Terrorism
The risks under this theme appear in the National Risk
Register under the heading of ‘malicious attacks’.
The Square Mile is a safe place in which to live and
work. Nevertheless, it is prudent to prepare for these
rare incidents which could cause significant disruption.
At the time of writing this document, the threat to
the UK from international terrorism is substantial.
This means a terrorist attack is a strong possibility
and an attack may occur without warning.
•Increase in staff absences (initially as a result
of transport disruption but with time reasons for
absence could include fear of future attacks or
a significant change of circumstances at home).
•Acute infrastructure disruptions (including outages
of the mobile phone network, utilities and
public transport).
•Members of staff being directly affected by the
incident, including the following related impacts:
The UK faces a wide range of threats and attacks could
include marauding gunmen, improvised explosive
devices (IED), human and vehicle borne devices, suicide
attacks or chemical, biological, radiological attacks,
to name a few attack modes.
–– Dealing with staff (or their family members) being
kidnapped or held hostage.
The United Kingdom’s counter‑terrorism strategy
(titled CONTEST) is organised around four work streams:
–– Need for staff to provide witness statements for
the police.
•Pursue: to stop terrorist attacks.
–– Communicating with next of kin of affected staff.
•Prevent: to stop people becoming terrorists
or supporting terrorism.
–– Dealing with multiple bereavements within
your workforce.
•Protect: to strengthen our protection against
a terrorist attack.
–– Dealing with the ‘empty chair syndrome’ (i.e. what
to do with the belongings and workstation of
anyone who might have died in the incident).
–– Accounting for staff and liaise with
Casualty Bureau.
•Prepare: to mitigate the impact of a terrorist attack.
What to prepare for?
•Phone operators receiving bomb threats.
•Members of staff being radicalised and carrying out
the attack (insider threat) or being identified as linked
to the perpetrators.
•Reception/security staff receiving urgent instructions
from the police (including the need to move all staff
to a safe area or to evacuate via an alternative route).
•General staff would be required to comply with
instructions from the police and other emergency
services (even if these seem counterintuitive).
14
–– Staff not present at the time of the incident feeling
‘guilty or like they no longer belong’.
–– Providing support for staff suffering from
post‑traumatic stress disorder.
–– Arranging memorial/funeral services for staff.
–– Dealing with large quantities of floral tributes
delivered to your office (including disposal of
decaying flowers).
–– Seeing an increase in requests for longer periods of
compassionate leave or sick leave.
•Longer‑term transport disruptions (if the incident
has damaged the highways or the public transport
infrastructure).
•Damage to your building or other corporate assets
(like corporate cars) – this damage could include
structural damage leading to complete or partial loss
of a building.
•Disruptions as a result of cordons set up by the police
(including buildings being made unavailable even if
not directly affected).
•Disruptions as a result of parts of your building
becoming crime scenes.
•Cleansing of buildings and other assets, including:
–– Disposal of contaminated objects/surfaces following
a chemical, radiological or biological attack.
•Having a set of basic outline floor plans available for
the emergency services in the event they need to
navigate your building.
Some businesses found that these measures
helped them be better prepared
•Consider training your public‑facing staff on how
to recognise hostile reconnaissance and how to deal
with bomb threats.
•Bearing in mind that if armed response from the
police is involved, staff would need to understand
how to behave in a non‑threatening manner and
what would be expected of them by the police.
–– Cleaning of surfaces affected by water or fire/smoke.
•Reviewing your plans to ensure they allow you to
respond to the variety of attack modes that could
be employed (including fire arms, use of fire as
a weapon, etc.).
–– Removal of stains from porous surfaces (including
concrete and stone).
•Knowing your own building (including an assessment
of your vulnerabilities).
–– Removal of debris and derelict structures.
•Disruptions to your supply chain.
•Requirement for additional security as a result of
an increase in the threat level.
•Sudden increase in workload for companies providing
services that might be in higher demand following
an incident (such as engineering firms, insurance
providers, etc.).
•Damage to your organisation’s reputation (caused
by comments from estranged employees or images
of damaged buildings with your logo on them).
•Effects on customers or clients (they might not feel
safe/comfortable visiting or attending meetings at
your premises).
•Having to stay in a safe place within your building
for a prolonged period of time (including tending to
injuries caused by the incident until the emergency
services are able to reach you).
•Delays in assistance from the emergency services
(at least until their staff can operate in a reasonably
safe environment).
•Exploring how your own security/facilities
management think the building could be targeted.
•Ensuring your staff understand what they would
need to do if an attacker had control of your building.
•Consider identifying a ‘safe location’ within your
building and training staff on how it would be
used (including what provisions/supplies would be
required there).
•Considering the need to relocate your workforce
within your own building (as a result of a portion of
your office being unavailable).
•If possible, consider having a structural engineer with
blast experience assess your building in advance.
•Understanding the protective security measures your
building has and checking how they could be used
by terrorists.
•Considering what is role of staff to get visitors out
of the building or into the ‘safe location’.
Business resiliencePlanning considerations 15
•Considering how to deal with contractors (including
delivery couriers), third‑party staff (like caterers),
visitors and clients who might be on‑site at the time.
•Exploring how to escalate your own security
arrangements if required.
•Understanding how to ‘lock down’ your building
(including grounding lifts or locking doors).
•Encouraging your employees to have personal
emergency plans (including how they would
communicate with their loved ones, even if the
mobile networks were not available).
•Ensuring staff dealing with incoming post
are sufficiently trained on how to deal with
suspect packages.
•Consider encouraging your staff to use social
media to let others know they are well following
an incident.
•Consider reducing the number of personal parcels
delivered to work.
•Exploring the use of a dedicated staff emergency
number (where you can record non‑sensitive advice
for your workforce following an incident).
•Reviewing how your key suppliers would work with
you in this type of scenario (including your disaster
recovery providers).
•Ensuring you have a process for carrying out robust
pre‑employment checks on your staff (including a
vetting process where required).
•Considering a process for spotting radicalisation of
members of staff and training your workforce on
how to identify it (and take appropriate action).
•Encouraging your security managers to share
information with their peers in the area around
your business.
16
•Consider producing pull‑out cards or checklists for
receptionists, security and any other front‑of‑house
staff with key actions to be taken for different types
of incidents.
•Ensuring you have a process for accounting for your
own staff, your contractors and any visitors (and test
it regularly).
•Seeking advice from the police on how your security
team can help you ensure your assembly area is safe
prior to sending your staff there.
•Consider having to increase the flexibility of HR
policies to enable longer periods of compassionate
leave or sick leave.
Cyber‑security
Increasing our reliance on cyber structures brings new
opportunities but also new threats. Cyberspace is an
important tool in the storing and collation of data,
information and finance, to name a few. But the very
openness of this space can leave us vulnerable to
attacks from criminals, hackers and online pirates who
want to gain access to our databases and compromise
or harm our businesses/organisations. The effects of
these attacks can be felt in our economy, infrastructure
and society.
What to prepare for?
•Multiple System Issues (not necessarily related i.e.
direct impact of attack, system slow down/failure,
or closure of system to prevent further access).
•Reputation – false claims about the business’ privacy
and lack of IT security could jeopardise the business
reputation and how they are recognised by their
stakeholders.
•Timings – time zone differences or overseas offices
mean minor impacts to headquarters may critically
expose international operations.
•System capacity decreasing (as a result of the attack
or of the response to the attack).
•Service providers having to be replaced if they are
unable to prevent leakage and vital data.
•Payments and/or trading systems could fail or be
temporarily unavailable/compromised.
•Business becoming a target due to shared
infrastructure with other businesses.
•Staffing issues, such as tiredness/fatigue (of specialist
teams used for responding to the incident).
•Breakdown of communication network
(i.e. Voice Over IP).
•Regulatory – failing to comply with regulatory
requirements may lead to fines.
•Potential for multiple events or for vulnerabilities
arising out of the incident to be exploited.
•Legal – external interference due to the spillage
of private data could compromise the businesses
relations with crucial stakeholders.
•Suppliers themselves may be affected/targeted.
•Loss of intellectual property, may mean the business
loses its comparative advantage i.e. patents or
commercially sensitive information.
•Data corruption (could lead to corruption of
mirrored/backup environment).
•Financial impacts – fines, loss of business, and costs
for dealing with the incident.
•Slow internet/broadband availability/speed.
•Loss of new technology that is not yet covered by
business continuity arrangements.
•Third parties may misuse information being shared.
•Malicious use of admin rights.
Business resiliencePlanning considerations 17
Some businesses found that these measures
helped them be better prepared
•Carrying out due diligence checks on key suppliers
to check how prepared are they.
•Sharing best practices amongst your industry
– forums, regulatory sites, secure information
exchange sites, etc.
•Developing your threat intelligence (horizon scanning
and monitoring trends).
•If using cloud services/shared infrastructure, checking
who do you share it with.
•Checking that a contractor having ‘trusted supplier’
status does not stop you from ensuring controls are
in place and tests sufficient.
•Conducting pre‑employment and subsequent regular
checks on all staff to minimise insider threat.
•When buying systems, consider including break
clauses in contracts/service review.
•Carrying out due diligence on third parties prior to
sharing data or infrastructure.
•Consider putting the onus on suppliers to inform you
if they have had an issue.
•Making sure that any new technology acquired is
covered by your business continuity arrangements.
•Identifying where you can draft specialist resources
from and how you would get the required budget
approvals at short notice (if needed).
•Noting single points of failure and exploring the
options to minimise your exposure to them.
•Confirming with your insurers that the potential
impacts of this type of incident are covered by
your policies.
•Consider running exercises and awareness‑raising
sessions on this topic so that staff are aware of what
could go wrong and can take extra precautions
to keep information safe.
18
•Consider implementing a social media policy,
including what should/should not be available to staff
from corporate devices or when connected through
your business’ Wi‑Fi.
•Wherever possible, ensuring that public and private
networks remain separate from one another.
•Ensuring staff are aware of acceptable use policies
for company systems, including removable media and
BYOD (Bring Your Own Device) policies.
Useful business networks
City of London Resilience Forum – is a forum for
representatives from City Businesses and emergency
responders to share and exchange information on
resilience in the Square Mile.
EPS London Branch – is the local chapter within the
Emergency Planning Society (EPS) and each year hosts
a series of events. It is run by a volunteer committee of
resilience professionals.
Contact [email protected] for
more information.
Contact [email protected] for more
information.
Financial Sector Business Continuity Groups – are
industry‑led groups that work closely with the UK
Financial Authorities to enhance the resilience of the
UK’s financial services sector:
BCI London Forum – is the largest chapter or ‘forum’
within the Business Continuity Institute (BCI) and each
year hosts and manages seminars in London. It is run
by a volunteer committee of BC practitioners.
•Securities Industry Business Continuity
Management Group.
Visit their website www.bcilondonforum.org for more
information.
•Retail Bank Business Continuity Management Group.
Business Continuance Group – is a members’
association for business continuity staff in companies
with mainly financial services interests to meet to
discuss matters of mutual interest.
•Insurance Sector Business Continuity Group.
•Joint Exchanges Committee.
Visit the Financial Sector Continuity Website
www.fsc.gov.uk for more information.
Cross‑sector Safety and Security Communications
Hub (CSSC) – is a partnership between the police,
Government and industry that brings businesses and
business networks together to ensure businesses
receive the information they need, when they need it,
to stay safe and secure.
Visit their website www.cssc.gb.com for more
information.
FSIE – Financial Services Information Exchange –
is one of the Information Exchanges supported by the
Centre for the Protection of National infrastructure (CPNI).
Visit their website http://www.cpni.gov.uk/about/
Who‑we‑work‑with/Information‑exchanges/for more
information.
City of London Crime Prevention Association –
is a membership organisation that seeks to prevent
and deter crime in the financial and commercial sector
within the City of London.
Visit their website www.tbcg.org.uk for more
information.
EPS Professional Working Group on Business
Continuity – is the specialist working group on
business resilience within the Emergency Planning
Society (EPS). It is run by a volunteer committee of
resilience professionals.
Visit their website www.the‑eps.org/about‑us/
professional‑working‑groups/business‑continuity for
more information.
BANG – is a get together of BC management
people who are entertained during the evening by a
‘controversial’ guest speaker in a social atmosphere.
Join their LinkedIn group www.linkedin.com/
groups/BANG-Resilience-Business-ContinuityProfessionals-1463967/about.
Business Risk & Resilience XGen – is a network of
students and industry newcomers from both public
and private sectors.
Visit their website www.brrxgen.com for more
information.
Visit their website cityoflondoncpa.org.uk for more
information.
Business resiliencePlanning considerations 19
Notes
20
This publication has been written in general terms and therefore cannot be relied on to cover specific situations; application of the
principles set out will depend upon the particular circumstances involved and we recommend that you obtain professional advice
before acting or refraining from acting on any of the contents of this publication. Deloitte LLP would be pleased to advise readers
on how to apply the principles set out in this publication to their specific circumstances.