||Civil Contingencies Act and Business Warning
"The Need for Robust Resilience & Defensive Planning"The governments decision to asses the need and implement the Civil Contingencies Act (CCA) should alert the commercial world to the presence of possible “New Wave” risk and hazard assessments. Growth of disaster and continuity planning has been relatively constant over the past few years, although most would agree that the majority of companies have no plans and few of those that have, test them regularly or more importantly significantly challenge them under duress. The CCA appears to be a break from the traditional values and protocol of planning and a paradigm shift may be witnessed.
Paper HypothesisTo prove that historic industry planning parameters have been overshadowed by the governments horizon scanning and in particular the introduction of the CCA.
OverviewThe CCA was introduced in response to the change in risk and hazard our civilisation now faces. National flood events were unusual, hurricane strength and frequencies unheard of and the threat of drought or dirty bombs were simply not considered. The emergence of drug resistant bacteria such as MRSA, epidemics of meningitis and pandemics such as Avian Bird Flu has clearly focused government’s attention to the risk of economic collapse. The CCA requires the countries front line services to be prepared and more significantly “guarantee” supply in the face of adversity. Power, water, electricity, blue light services are typically seen as a focus point, but following the initial aftermath of serious disruptive event, could business and our economy survive?
The first indicator of change is the “doomsday outlook” where planning for catastrophic loss is the basis. For example there is a clear shift from the typical and historic localised risk such as 400m blast zone from say an IRA bomb to wide area emergencies such as the loss of an entire county or city or indeed where the UK could be at risk. The following shortened excerpts from the CCA can be seen to include both natural and engineered disasters (terrorism) threats to the environment and most importantly disruption of the essential services. http://www.opsi.gov.uk/acts/acts2004/20040036.htm
The significant (edited) points of the act are as follows:
1. Identify emergency scenarios as those which will affect,
(a) Human welfare, the environment, war or terrorism which threatens serious damage or security of the UK. (b) Contamination of land, water or air with biological, chemical or radio-active matter, or disruption or destruction of plant life or animal life.
2. Recognises the following or possible consequence
(a) loss of human life,
(b) human illness or injury,
(d) damage to property,
(e) disruption of a supply of money, food, water, energy or fuel,
(f) disruption of a system of communication,
(g) disruption of facilities for transport, or
(h) Disruption of services relating to health.
3. The act covers the following environment for threats;
(a) Disruption or destruction to animal or plant life and or the land, water air, from CBR (chemical biological radiological) contamination.
4. The act provides authority to act whether the criteria falls in or out of the specification and legislation as written and includes the right to act inside or outside the UK.
The bottom line is that the CCA allows the government to take whatever action it deems necessary to protect UK. PLC. The legal obligations well written and with catch all components are backed with similarly encompassing liabilities to those that fail to comply. Compliance and legal liability to conform is policed by duty holders and the government agencies with the authority in the High Court to grant any relief, make any order that it thinks appropriate.
The CCA has provided the framework but people make things happen. The recent Buncefield oil storage fire should be seen as a red flag for those that believe legislation and plans alone will suffice. Buncefield, a COMAH site (Control of Major Hazards & Accidents), was governed by the strictest health & safety legislation that required tested and audited plans to ensure risks were eliminated or controlled. In the event of the fire and ensuing disaster we saw that despite the site and plan being tested just 3 months before, the risk assessments, response plan and control was wholly inadequate.
The first point regarding 21st century disasters is likely to be scale and disruptive effect and secondly how or if 20th century logic in planning would provide defence to these events. Resilience and Robust plans are two significant new terms introduced into planning recently. The historic belief that we need to plan only for the initial aftermath as support or resources will be available, is possibly now wishful thinking. Management so often recognised insurance and market resources as replacements or supplementary to competent business continuity planning. This support, in my opinion is no longer a viable option and companies must indeed now become independent in their resilience and survival. Emergency blue light capabilities are unlikely to match the requirement of major wide area disasters quickly and planning must now accept self defence as a key factor.
The CCA can clearly be seen to encompass the widest range of planning objectives possible, but equally places responsibilities on almost every sector of the economy.
I mention every sector of the economy as we have seen from past disasters that almost every business sector works in synergy or symbiotically with others and each could eventually be said to be essential. It can therefore be reasonably assumed that the CCA is actually the contingency plan for the country, but does every sector understand their position or liability
Those charged with primary responsibilities are classified as Category 1 & 2 responders. These are generally seen as local authorities and blue light or essential utility suppliers, but of course these may require the support of their respective supply chains and they in turn their supportive suppliers.
Section 2 of the act places additional responsibilities on planners to;
Prevent, Mitigate and Control emergencies or disasters.You will note there is no mention of insure or recover, the significance here is that the typical business continuity plan which recognises the need to plan for effect not cause has been replaced with a new logic that there is no place for consequential loss or effect which could remove the ability to function. Elimination, control or mitigation of cause has replaced the usual dictum of planning for effect and this in my opinion is long overdue.
Following many years of auditing BC & DR plans I have concluded that market resources and insurance, provide the backbone of many contingency plans. While these dependencies are of course adequate and usually available in times of localised disruption or disaster, they will be diluted into insignificance when the central and wide area business district is faced with major events.
Typical major events
- Wide area flooding where usual utility facilities are lost
- Buildings lost and usually available premises damaged too
- Epidemic or pandemic
- Terrorist CBR chemical biological radiological release
- Inclement weather, Snow, Blizzard, Tornado
- Loss of Power, gas, fuel
- EMR elector magnetic pulses from sun destroying or damaging IT systems
- Cyber terrorism
- Chemical or fuel plant explosion
- Outrageous circumstances such as the Ammunition Ship Montgomery sunk in the Thames estuary in 1944 capable of producing a multi kiloton explosion http://www.thisislondon.com/news/londonnews/articles/12667880
- Critical Thames barrier failure
- Transport infrastructure collapse by terrorism or Unions
- Nature generally
- Engineered terrorist events
Typical dependencies include;
- Over subscribed Hot Sites which could never cope with demand if all contracted services were required
- Limited availability of back up facilities or IT technicians
- Police force where required for defence, control in wide area events
- Insurance for damage, contamination, where most policies exclude and policy wording will make assistance difficult
- Contracted support services which may be confiscated by authorities
Example of CCA Against Normal BC PlanningThe brief and following examples may and usually are seen as extreme circumstances which are unlikely. The basis of the CCA is to plan for the unlikely to identify possibilities and prevent mitigate or control their cause and effect and not simply react to their cause.
While many, would argue that the following example scenarios are an exaggeration of likely incidents it should be remembered that this simply echoes recent events such as Buncefield, Chernobyl, Manchester fire /bombings and loose terrorist events coupled to increasingly threatening natural disasters such as bird flu or flooding.
Two commercial examples follow, which provide some support to the hypothesis.
Both companies share the same building. A chemical plant 10 miles away has had an explosion. The cause is not believed to be terrorism but lack of safety compliance due to high absenteeism caused by a flu epidemic. A toxic cloud is travelling towards the Central Business District (CBD).
Although normal business continuity and contingency planning practice is regarded as sufficient, I believe that it has limitations when faced with the larger or wide scale event.
- 1. Financial Institution
No provision under CCA plans
Business Continuity plans follows historic 10 point guide as recommended by Business Continuity Institute (BCI). Contingency plans required by the Financial Services Authority (FSA). Plans were designed to emphasis the reaction from effects rather than prevention of cause.
The company identified the high potential business impact from loss of facility or function. The BC plan assessed the need for I.T. back up and had purchased two weeks desk space at one of the biggest three “Hot Site” providers. Following News reports the building was evacuated and employees sent home to work from there, with key personnel agreeing to work from the secondary hot site location. Insurers were notified of potential loss and asked to assist in the recovery and more importantly fund recovery. Contracts were in place with staff agencies to support expected absenteeism.
The width and spread of the contamination plume resulted in the almost complete evacuation of the CBD. Many employees found they could not get home due to transport failures and many were exposed to inhaled toxic dust which increased the potential of future absenteeism. Some employees returned to their work place and brought secondary contamination into the building. The toxic cloud was acid based and where in contact with electronic or metallic surfaces was likely to cause serious and intermittent IT faults due to corrosive effects. Hot site providers were overwhelmed with companies implementing desk and facility contracts. All local “Hot Sites” were closed and rural sites were significantly oversubscribed. The company decided that their best option was to return to their core office and implemented their disaster recovery plan to decontaminate their offices and make safe. Insurers initially recommended their preferred disaster recovery company who arrived on site with equipment to decontaminate and make safe. The following significant points materialised;
1. Due to high levels of absenteeism, coupled to unprecedented work load, loss adjusters working for insurers were not available to assess the scope or limitation of the policy, however it was noted that secondary aerosolisation was not covered in the policy. Therefore the company were faced with substantial decontamination costs.
2. Due to the extenuating circumstances, power supplies were intermittent, and the “building” auxiliary generator was utilised to provide power. The generator and fuel supply was only capable of providing emergency lighting and limited IT provision but sharing between other tenants was agreed.
3. During the clean up decontamination equipment was confiscated by the Police to assist other tenants in the building and locally who had obligations under the CCA. (This is without compensation or ability to remonstrate)
4. All auxiliary available power was routed to the CCA participant to allow their full operation. This left the financial company with no power or facility.
- 2. Local Authority
Category 1 provider under CCA
The department provided the payment and care of local, disabled community. The local authority has a legal obligation under the CCA to provide continuance of essential services. Obviously local knowledge, facilities and lower paid workers means that movement to alternative facilities would be seen as difficult. Plan follows CCA criteria of defensive resilience.
The plan first identified preventative measures to reduce disruption, evacuation and likely causes. This included low cost procedures to defend the building such as ventilation and environmental controls. Mitigation planning included the training and equipping of incident response teams to undertake defensive procedures. The overall risk and hazard faced by employees was reduced by awareness and practical training coupled to the provision of limited PPE (personal protective equipment) the control of the incident included Shelter in Place (SIP) procedures due to considered risks from evacuation.
This event was identified in risk and horizon scanning although in different forms and recognised as a high hazard low risk event. Training in hygienic work practice had already been undertaken to reduce normally expected absenteeism from communicable disease and a recent refresher course was provided on the specific risk of flu and methods to avoid cross infection. The incident response team had been successful in preventing contamination entering their work space although due to the failure of other tenants to recognise the building vulnerability a cohesive and joint defensive plan had not been considered. This meant that common parts and almost all other floor and building areas required substantial and costly cleaning and decontamination.
Significant responsibilities, liabilities and legislative powers make the CCA a development and proving ground where dynamic planning replaces the historic static structures. This is in my opinion, business continuity at the extreme and highest level with plan or function failure simply unacceptable as life or the national interest could be at stake. The CCA and planning relevance in the face of the risks and hazards of the 21st century should in my opinion be recognised in the commercial world as a supportive feature to current planning objectives.
Apart from the legislation and duties mentioned, almost every commercial organisation in the country can be assumed to be in some part of someone’s supply chain and therefore assume either liability or increased vulnerability.
It is quite clear that the government have quite rightly, identified and ring fenced those organisations or suppliers that have or could have the most significant affect on the country should they fail in there service obligation. While CEOs can debate or ignore the benefits or budget requirements of BC planning they have the luxury that if they are wrong they would simply be dismissed or at worse face some legal or personal liability, the CCA targets cannot be left to individual or personal assessments or allowed to fail in their function.
Time and again I have seen the core business faced with catastrophic loss because of assumptions that someone else will support the company post disaster. Most are lucky and assistance can arrive in the form of loss adjusters, insurers, building and IT suppliers and contractors. What has always been missing is slack and excess capacity and the planning for effect surely depends on the scale of dependency in terms of self and others requirements.
This of course opens review of recent large scale events such as,
These incidents are simply examples of large scale events which were unexpected and unplanned for. Significantly had they occurred in a major Capital and or industry they could have had catastrophic consequence to the countries economy and indeed commercial survival.
- The six week New Zealand Power outage where almost all airline tickets were taken up by the banks and financial sector to move employees in and out of the country to secondary work locations.
- Canadian Ice storms where similar cheque book planning bought up all available generators.
- New Orleans flooding where almost no local business could or did survive.
- Foot & Mouth outbreak which 2001 which effectively halted the travel and holiday industry in the UK.
Business Continuity planning professionals often quote that 80% of companies without a plan fail, perhaps the figures of survival of those with a plan should be examined. Few plans work on the day, yellow pages, coupled to authority, courage and the ability to work under pressure often carry the day in localised disasters, however larger scale events are likely to see luck or resources disappear.
Planning should therefore be recognised as a first stage and auditing as an essential secondary event.
In recent years auditing has become a more recognised necessity but unfortunately auditors are either the writers of the plan, associated with the authors in some way, such as working relationship or worse still are engaged and paid by the authors purchase order. From personal experience I have often been asked to leave out or reduce impact findings from audits and of course this simply leaves senior management in the realms of false confidence and more often the planner short of additional funding with which to address plan shortfalls.
The CCA has put great emphasis on distributing responsibilities away from the government and squarely onto the shoulders of the duty holder. This is of course in line with legislation such as Health & Safety at Work Act 1974, in which the government recognised it could not initiate legislation that would provide safe working conditions in unknown and differing working practices.
ConclusionVarious planning or information templates such as PAS 56 (Publicly Available Specifications) and in particular the Business Continuity Institute (BCI) 10 point guide to business continuity planning, provide the essential basis of all contingency plans. These templates have been developed from logic and experience of typical disaster scenarios.
The government however recognised that increasingly, unusual disasters and disruptive events are likely to have wide area ramifications and that key service providers, as in the commercial world generally, have a high dependency on supply chain that generally plan to respond rather than defend.
The result is the CCA legislation which places a firm and reasonable responsibility on those that provide essential services to the public and or, to the nation in general. The legislation clearly identifies responsibility in terms of success and provision of continuity and significantly expects that planning is established to prevent, mitigate or control events in what is termed ”Robust Resilience”.
The knock on effect should be the acceptance by the commercial world that the disruptive events from any source ranging from technical, natural or engineered terrorism, requires additional and supportive planning modules.
This paper is copyright but may be reproduced with permission and accreditation to Jeff Charlton http://www.disasteradvice.org/Home/tabid/310/Default.aspx ++44 (0)8700 789 999