. 34
( 131 .)


junior staff. This can be because they believe that the code is a theoretical exer-
cise or lip service and that senior executives give mixed management messages.
Those deployed overseas particularly often think that corporate headquarters
does not understand local problems and is only interested in financial returns.
Part B “ Overview of the Economic Aspects of Business Risks

This bottom-line profit is what can bring promotion: moreover personal security
can be at risk if local corrupt practices are not followed. To overcome some of
the middle management problems it is essential to:
Involve them in drafting the code;
Train expatriate managers prior to deployment; and
Maintain clear lines of communication with superiors.
It is always helpful to be proactive and survey the more complex and corrupt
environments for opportunities to operate more honestly and effectively.
Generally this means:
Obtaining detailed local knowledge;
Carrying out detailed due diligence investigations of potential partners;
Building up, confidentially and sensitively, a broad network of relationships
with a variety of local representatives, both in the formal political and
administrative system and beyond;
Not relying on one single patron or sponsor, thereby reducing exposure to
political risk;
Generously demonstrating benefits to the local community (see Chapter 12);
Operating transparently in the wider region to draw on a range of others
against any type of corrupt demand.
It should be emphasised that high standards of integrity form the only reliable
basis for robust risk management and long-term commercial sustainability (see
also Chapter 12).

Chapter summary
As has been mentioned in other chapters (see Chapter 9) a sound business
reputation is critical to successful business sustainability. As part of their risk
management strategy organisations should ensure that a sound approach to
economic crime and ethical issues is part and parcel of corporate strategy, regard-
less of size and location and indeed whether commercial or non-commercial.
Moreover there is no doubt that the overall lack of ethics topics in corporate
training programmes in many business sectors poses another concern in the
quest to achieve and maintain high moral business standards. In order to main-
tain an enlightened workforce the organisation should invest in sound ethical
strategies that can mitigate exposure to related risks.
From all of the above it is clear that the role of human resources is para-
mount and that a happy healthy workforce with good communication flow can
make a huge difference in practice to the health of the organisation. One recom-
mendation that may be made by way of best practice is to include in all train-
ing programmes from top to bottom and vice versa “ ranging from those for
directors to new employees programmes “ some ethics awareness element.
This could be in the form of a mini-case study. Additionally, training employ-
ees to fully understand business ethics relies on competent and qualified
Chapter 7 “ Economic crime, bribery and corruption 159

instructors. The shortage of these instructors, coupled with the continuing
competition between philosophy and management teachers concerned with
business ethics, provides another concern when considering the long-term sus-
tainability of responsible business. Creative solutions are possible and it is in
the interest of small business to be part of the solution finding debate.

Hints and tips
Key message: ˜transparency™
Best standards: will sustain lasting partnerships in global trade as
well as with law enforcement agencies.
Communication: companies need to propound their transparency
internally to their employees as well as globally, to business as well as
Complacency: the enemy of transparency ¦ do not let it happen!
This page intentionally left blank
Business interruption and risk
8 Business interruption and risk

In this chapter the practical issues of business interruption and risk man-
agement are considered. Despite the fact that such matters are of course
paramount in the context of sustainable risk management it emerges from
many practical incidents or case studies and surveys (see below) that
organisations often fail to prepare themselves sufficiently. Indeed even
when they have experienced business interruption managers they often
still do not adequately manage these risks.

Business interruption and recovery
Clear examples of the approach to business interruption and recovery occurred
when the London Chambers of Commerce (LCC) studied the impacts on busi-
ness behaviour one year on following the 7 July 2005 terrorist attack in London.
This report has summed up many of the key issues regarding business interrup-
tion and recovery and its findings are most valuable in terms of sustainable risk
management. It is therefore cited in detail here.
The LCC found in particular that business continuity management is about
more than just surviving a direct terrorist attack on a company™s business prem-
ises. Business survival can also be threatened by failures in other critical busi-
ness areas such as power outages, failures in IT or telecommunications
systems, loss of transport networks, or supply chain disruption “ all of which
may result from natural disasters or random ˜acts of God™ rather than terrorism.
The current UK government™s only legislation on preparedness, the Civil
Contingencies Act 2004, for example, owed its genesis not to the 9/11 terror
attacks in 2001 but to the period from September 2000 to Summer 2001 when
the UK was beset by a fuel crisis, severe flooding and an outbreak of foot and
mouth disease.
Chapter 8 “ Business interruption and risk management 163

Financial help for business
In 2001 the New York City Investment Fund created the Financial
Recovery Fund to help small businesses in Lower Manhattan that were
affected by the World Trade Center attacks. By early 2003, grants to the
amount of $113 million were distributed to 88 small businesses and 34
seat holders of the New York Board of Trade (New York City Investment
Fund, ˜Lessons learned™, September 2003).

The variety and unpredictability of disasters that can affect communities and
businesses was further demonstrated by events in 2005, when the world wit-
nessed the full spectrum of disasters that could befall communities and busi-
nesses, starting with the Asian tsunami and then moving on to include the
Pakistan earthquake, hurricanes in the US, the London bombings and even the
Buncefield oil refinery explosion. It has been reported that respondents to
the London Chamber of Commerce and Industry CMI Business Continuity
Management Survey 2006 rated ˜terrorist damage™ as only the seventh most sig-
nificant threat to their finances, alongside fire but behind utility outage (sixth),
loss of telecoms (second) and loss of IT (first) (see also Chapter 11). Also, the
seventh-placed ranking was actually down slightly on the year before, when
˜terrorist damage™ was rated as the sixth most significant threat. The full table of
results is included below.

Source of threat to costs and Percentage of Ranking Previous Percentage of
revenues respondents (2006) ranking organisations™
identifying (2005) contingency plans
this threat which include
(2006) this (2006)

Loss of IT 67 1 1 67
Loss of telecoms 56 2 2 63
Loss of people 56 2 5 51
Loss of access to site 54 4 6 61
Loss of skills 49 5 3 40
Utility outages 45 6 8 51
Fire 44 7 3 55
Terrorist damage 44 7 6 45
Damage to brand or corporate 39 9 9 26
Negative publicity 34 10 10 28
Employee health and safety 30 11 11 41
Supply chain disruption 28 12 11 27
Environmental incident 27 13 11 42
Flood/high winds 26 14 14 42
Customer health/product safety 26 14 15 22
Industrial action 22 16 15 20
Pressure group protest 16 17 17 16
(Source: CMI Business Continuity Management Survey 2006)
Part B “ Overview of the Economic Aspects of Business Risks

More importantly, when asked to rank these factors in terms of those which had
actually had an impact on their organisation during the previous year, managers
placed direct ˜terrorist damage™ at the bottom of the list, impacting on just 3%
of respondents. Loss of IT topped the poll with 38%, followed by loss of people
(29%) and loss of telecoms (24%).
Nonetheless, although managers said that their business had not suffered
direct damage from terrorism, many reported knock-on effects from the 7/7
bombings in London. Some 10% of survey respondents said the bombings had
caused ˜significant disruption™ while 26% said it had caused ˜minor disruption™
and 24% said there had been a negligible effect. Thirty-six per cent of managers
said their organisation had seen ˜no impact™ from the terror attacks. In contrast,
70% of managers said the Asian tsunami had no effect on their business and
77% said they had seen no effect from the Pakistani earthquakes.
Several other potential threats to businesses have raised in prominence
recently, most notably a possible avian flu pandemic. However, despite the sig-
nificant media attention the threat of a flu pandemic received, businesses evi-
dently remain unprepared. An LCCI London Business Leaders™ Panel survey in
February 2006 found that just 19% of firms had a contingency plan in place to
deal with an avian flu pandemic. Some 10% of London firms had updated their
existing contingency plan to deal with avian flu and only 6% had tested their
plans in the context of a pandemic.
In view of increased public interest in climate change, concern over environ-
mental disasters and extreme weather conditions has also gained in priority. A
sustained heatwave in France during August 2003 did not just result in the deaths
of an estimated 11 000 citizens but also threatened national power supplies and
caused IT systems and data centres to shut down or overheat. An AXA Insurance
survey found that SMEs cited severe weather patterns as a bigger threat to their
business than poor management or competition (Axa Insurance, April 2006).
The Hurricane Katrina disaster in the US is estimated to have caused
insured losses of $25 billion, making it the costliest storm in US history. Lost
tourist revenues in New Orleans alone are said to have topped $5 billion and the
Mississippi River™s gaming industry was all but wiped out with the state™s 12
floating casinos either severely damaged or destroyed. As a result of the storms
and flooding 91% of oil production and 83% of gas production in the Gulf of
Mexico was shut down, forcing petrol prices and energy costs to rise sharply
across the US. Freight transport companies lost $3“4 million a day while
the region™s 12 ports were closed (˜Counting the cost of Katrina™, BBC News,
September 2005). In the state of Louisiana alone an estimated 18 750 businesses
were destroyed, wiping out 240 000 jobs (Acadania Regional Development
District, Louisiana Hurricane Statistics 2005 (2005)).

Buncefield: a lesson in contingency planning for business
As is again explained in the LCC report, one useful example of the need for con-
tingency planning is the Buncefield oil refinery fire in the UK in December
2005. This example is cited from the report by the Business Continuity Institute
Chapter 8 “ Business interruption and risk management 165

(BCI) and described the Buncefield disaster as ˜what business continuity man-
agement is all about™. According to Lyndon Bird, technical director at the BCI:
˜It provides more messages and lessons than all of the other annual incidents
put together. Firstly, it just happened “out of the blue”, with no obvious reason,
warning or prior experience to suggest it might ¦ Secondly, it happened at the
most inconvenient time, two weeks before Christmas when demand for oil
products was at its peak and many organisations were working at full capacity.
Thirdly, it was the things that many had not planned for that caused the most
concern, for example police and other emergency service access restrictions.
Lack of access to their own business premises (even if not damaged) caused
anger, conflict and major frustration™ (˜Buncefield “ What BCM is really all
about?™ Continuity magazine, www.thebci.org).
The Buncefield disaster had a heavy impact on surrounding businesses.
Internet retailer ASOS suspended trading on their shares, the headquarters of
software firm Northgate Information Solutions was severely damaged and had to
initiate its contingency plan, and DSG International, the firm that owned Dixons
and Currys, had to close its head office (˜Fuel blasts close neighbouring firms™,
The Guardian, 12 December 2005). According to Geoff Howard, director of The
Continuity Shop: ˜After the Buncefield disaster, several companies went bank-
rupt which weren™t even damaged by the explosion, but were just in the exclu-
sion zone. One wholesaler of Christmas supplies was caught in the exclusion
zone for a week, and due to the nature of his product, was unable to deliver to his
suppliers in time for the deadlines. Clearly due to the investment made in the
stock he could not wait another year, and hence went bankrupt. This illustrates
the importance to SMEs especially of having some kind of business continuity
plan in place, as well as some kind of insurance which covers such eventualities.™
These sentiments were echoed by Professor Jean-Noel Ezingeard of the
Henley Management College, who said: ˜Something like Buncefield, where
businesses three miles away were affected, should bring it into focus. Every
business owner should be looking at the effect an incident could have ¦ They
need to prepare for the impact on trade, turnover and stock.™
Following the Buncefield disaster, data management software designers
Version One conducted research which found that 30% of finance directors did
not believe that their business would survive the loss of all paper records and
business documents in the event of a disaster. Some 32% would take 12 months
to recover and 38% estimated a recovery period of approximately six months.
In terms of the financial cost of losing paper records, 45% of firms estimated
the cost to be at least £50 000, 32% of firms said the cost would be between
£100 000 and £800 000 and 15% of finance directors said the cost to their busi-
ness would be more than £1 million (Version One, Financial Directors say 30%
of Companies at Risk, January 2006).

Barriers to developing contingency plans
The LCC has found “ as SERM case studies have also discovered “ that a lack
of adequate contingency planning is a major issue for SMEs in particular. It is
Part B “ Overview of the Economic Aspects of Business Risks


. 34
( 131 .)