|
by Philp
Jan Rothstein, FBCI
The tragic 1995 Oklahoma City bombing taught us, among
other things, that there is no room for complacency in the corporate world.
As appears in the July / August, 1995 issue of
InfoSecurity News Magazine.
Reeling from the horror of Oklahoma City, I keep
coming back to the question that a commentator on CNBC-TV asked me during
an on-the-air interview: what must businesses learn from this tragedy
and from the World Trade Center bombing? Without a doubt, I believe lack
of recognition of the potential for 'unreasonable circumstances' stands
as the issue too often ignored. Too many businesses are oblivious to their
vulnerabilities.
Bombs
do not represent the only 'unreasonable circumstance' confronting businesses.
Threats do not even have to be physical: power failures, communications
breakdowns, even corrupted data bases can be as devastating. Handling
known threats in a contingency plan is almost a 'no-brainer.' After planning
for every conceivable threat, exercises should assume threats which were
never planned for - this is the acid test of an effective contingency
plan. Would you rather be saying, "where did that come from?" or, "we
saw it coming and handled it before it got out of control?"
Gary
Player, the South African golfer, noted "The harder you work, the luckier
you get." How many contingency plans have an aggressive avoidance / prevention
/ mitigation component? As I understand, the Murrah Federal Office Building
in Oklahoma City had a single security guard on duty. Could a more assertive
security presence or risk assessment program have averted disaster? Which
is better, effective management of / recovery from a crisis or not experiencing
a crisis in the first place?
Developing
a contingency plan is not enough. The plan must be realistic and, above
all, exercised aggressively to have any value. As the atrocity in Oklahoma
continues to unfold, I fear businesses may be trapped by three pitfalls.
First, I observe with trepidation the knee-jerk reactions of businesses
suddenly tightening security and dusting off contingency plans and crisis
management programs. Unfortunately, as the World Trade Center bombing
demonstrated over two years ago, the sense of urgency tends to fade quickly
as other business priorities and crises loom. I have heard that on the
order of two hundred businesses never recovered after the World Trade
Center bombing. I suspect many people formerly employed by these two hundred
companies view contingency planning from an entirely different perspective.
The
second pitfall is denial - "it can't happen here." Worse, denial of the
importance of the human element - and of the powerful role of human nature
- in contingency planning is all too common.
The
third and least excusable pitfall is complacency. There is absolutely
no excuse for contingency plans which have been developed for appearances
and not for results - "we developed the contingency plan, we documented
it, now leave us alone so we can go back to our real jobs." Without a
committed exercise program, an untested contingency plan may almost be
more dangerous than no program at all.
Forgive
me if I sound cynical; I am really not. I am optimistic that the business
continuity profession will benefit, albeit perversely, from the heightened
awareness brought on by this tragedy. Merlin Olsen, the football star,
observed, "One of life's most painful moments comes when we must admit
that we didn't do our homework, that we were not prepared."
Copyright (c)1997-2003, Rothstein Associates Inc. All
Rights Reserved.
|
