The terrorist attacks of September 11 2001 should have been a wake-up call for the business community in Britain and across the world. However, nearly four years on, national surveys show 49 per cent of all UK businesses lack plans to keep the wheels turning if the unthinkable happens. Astonishingly, that number has only improved by 5 per cent since the 9/11 attacks. Where there are plans - mostly among the larger and more regulated businesses - one-fifth have never been tested.*
Why has business been so slow to get its act together? We watched as the 9/11 attacks unfurled, we watched the Madrid bombings, we watched as there were targeted attacks on businesses overseas. But an attitude of 'it could never happen to us" has permeated the wider business community.
If nothing else good comes out of the tragic July attacks in London, perhaps at least they will dispel some of this complacency. After the first wave of attacks on July 7, the heads of business found themselves doing staff roll calls, realising they did not have correct contact details or effective cascade communications systems in place. With mobile telephone networks down and intermittent land-line access, many relied on television and radio to keep up to date with developments. It brought home the critical importance of having straightforward and simple continuity plans in place - something that all staff can understand.
This is not to detract from many of those organisations that are well prepared. But they are often highly- regulated larger companies or those with strong international links. Particularly well prepared are what the draft civil contingencies bill terms "category 1 and 2 responders", including the emergency services, local authorities, utility companies, railways, airports and the Health and Safety Executive. Many such organisations also reaped the rewards of developing their IT Ă‚Âcontingency plans in response to the "millennium bug" concerns in the late 1990s.
At the risk of hectoring, it is vital to stress that preparation really could mean survival. Those organisations that have prepared and exercised their responses to disruptive incidents, such as terrorist attacks - although it is much more likely to be flooding or IT failures - are more likely to survive.
The value of planning can be measured in lives saved and suffering minimised. It can also be felt in the quiet, collective resolve that has been growing across London in the past two weeks. A controlled response to random acts has given people the confidence not to give in to fear and to calmly go about their lives. The focus after these kinds of events should be on the individuals involved - that must always be the case. But every business throughout the world should also consider how it would cope if something like this happens at its front door.
Of course, disasters cannot be prevented. We do not choose when or where they strike either. The impact is immediate. Best laid plans go out the window and the aftermath threatens to wipe out years of hard work. That does not mean, however, that disaster must be followed by a desperate fight for commercial survival. Starting to make a business more resilient costs nothing. It is about asking the "what if" questions. What if profits become losses in an unpredictable few seconds? What if the cash lifeline is cut and tomorrow's growth is gone? In short, what is the worst thing that could happen and how likely is it to happen?
The biggest challenge is for small and medium sized enterprises - which, in the UK, employ half the workforce. They are the least equipped to shrug off the impact of any incident because of their size. While there are many factors that prevent planning in smaller businesses (not least, the availability of time), the main issues are poor understanding of the potential impact and, crucially, a lack of clear and simple information. Many businesses simply do not know where to start. This must now be a priority for government and supporting agencies.
For those companies that have laid continuity plans, danger is complacency. A plan does not remove risk. It just provides the opportunity to manage it. Without training and testing, weak and unworkable contingencies can break a business just as surely as having no plan at all. All businesses, no matter where they are located, must take action now.
