Michael Burke discusses local authority disaster and contingency planning
Life could be about to change for local authorities. Disasters can no longer be brushed under the carpet and ignored. Catastrophes are demanding attention. Today the UK faces changing risks and threats. Ensuring that the impact on service levels is as minimal as possible is now key to the success of councils, and the main tool to moving in this direction is business continuity.
The Civil Contingencies Bill, currently under consideration by the Office of the Deputy Prime Minister, advocates that disaster planning should become part of a structured routine for local authorities. Following on from a disaster legacy which has seen services struck down by a fuel crisis, wide-spread floods and the aftermath of September 11, people are becoming more aware of the potholes which need to be effectively dealt with, not dodged.
The Bill is divided into two main parts, separating out issues concerning local arrangements for civil protection, and emergency powers. As well as local authorities, it will affect the emergency services, certain National Health Service bodies, the Environment Agency and the Maritime and Marine Coastguard. It will also have implications for utility companies, the transport sector and the Health and Safety Executive, although they have no duty to comply with the new regulations.
Not since the 1920 Emergency Powers Act has the focus on this subject changed, and eight decades later, the change could be radical. Business continuity planning and on-going risk assessment will become a requirement. It will be mandatory for councils, not an option. As budgets are stretched even further, most councils are currently choosing to bury their heads in the sand, praying that lightning will not strike. After all, if a disaster does not happen, all the money and time spent on planning is a waste. But is it?
Basic risk assessments blow away the fog and enable councils to see the hurdles which they could stumble over, before they embarrassingly take the fall. It is a preventative process, and acts as an indicator of how to move services forward in the face of adversity.
Business continuity planning can be interpreted in different ways by different councils, but using the definition set out by the Civil Contingencies Bill, it relates to: 'an event or situation which presents a serious threat to human welfare, or to the environment, or to political or economic stability, or to the security of a place in England or Wales' Clause 1 (i).
This means that if a disastrous event occurs, the disruption to the continuity of services that need to be provided to stakeholders, is kept to a minimum. Disasters can be minor as well as major physical events; they range from a leak in a vending machine, which drips into the IT department, to a huge fire which burns down the town hall.
Nearly all local authorities have some sort of plan to cope with IT problems. It is a fundamental part of a council's ability to operate, and the disruption to communications due to a breakdown in IT could effectively cut off the local authority from the outside world.
But there is still a reluctance to plan in other areas. This is because it is a monumental exercise to undertake effectively. It takes a lot of time and resources, but the impact could be catastrophic if a plan is not in place. How would a council begin to assess the problem if it were already on the back foot and if time were crucial? It would already be starting from a negative position.
The planning cycle is the key to identifying risks and preventing this situation. It requires a systematic approach to identifying all the risks that threaten the continuation of service delivery, and an ongoing approach to managing the risks that pose the greatest threat.
In order to achieve this, a five step risk management cycle needs to be established.
1 Risk identification - Risks or obstacles to the continuation of service delivery need to be identified through a carefully managed exercise, involving all relevant staff including senior management, and covering all areas of the council's work.
2 Risk analysis - Risks need to be analysed to determine the likelihood of their occurring and the impact to business continuity if they do.
3 Prioritisation - The easiest way to analyse and prioritise risks is through the use of a matrix. Mapping all the identified risks on to a matrix (see case study) provides for a natural prioritisation of the risks. Business continuity risks, by their nature, tend to appear towards the bottom of any matrix, meaning there is a low likelihood of them occurring, but often with a catastrophic impact. By identifying the appetite for risks it still allows for some risks to be lived with, in turn allowing the council to focus on managing those risks which are greater than the appetite.
4 Risk management - Action plans need to be developed to ensure that these risks are managed in such a way as to reduce the chance of them occurring and/or the impact to service delivery if they do.
5 Monitoring - Progress against these plans needs to be regularly monitored by the management team.
A cycle then becomes clear; plans are made, service delivery is unbroken, performance is enhanced, and this feeds back into the performance management framework. The focus is on doing what matters to make a difference. The process is essential if a council wishes to achieve its goals. It is also critical if it does not want to be blocked and defeated by disasters.
Subject to resources being available, a council could develop its own business continuity plans, and carry out its own risk assessments. This would have to take place on a rolling basis, as risks and environment change and evolve. However, as templates are already available there could be an element of re-inventing the wheel involved, not an ideal situation when resources are stretched.
Slowly people are coming round to the idea that some disasters can be avoided. It is not a matter of predicting the future, but intelligently putting a process in place to help identify potential problem areas and develops plans to cope with them. To be prepared is to be forewarned.
Michael Burke is operations manager, Zurich Municipal Management Services
LESSON FROM AMERICA
UK contingency plans for national crises, such as the power blackout experienced in the US and parts of Canada need to be treated as a priority, warns ALARM, the national forum for risk management in the public sector. It says that public organisations such as local councils should pay greater attention to their risk management and business continuity planning, amid fears that a disaster like this in the UK might damage public services irreparably if not properly planned for. Services that could be affected include health, fire and rescue, and police.
ALARM states that recent reports have proved that many local authorities are under-performing their risk management duties. Although it believes that London is one area which has stepped up risk management and has strategies in place to ensure that services do not come to a halt should a national emergency occur, it claims that the relative lack of preparation for such incidents countrywide in the UK is now a major cause for concern.
ALARM chairman Bob Cope said: "The recent Civil Contingencies Bill, drafted by the Government to reinforce local authorities' ability to deal with civil emergencies was met with mixed opinions, but the events in America have proved that measures do need to be taken and such proactive moves are not misplaced. Burying our heads in the sand is not an option, and we cannot afford complacency."
NEXUS CASE STUDY
In January 2003 ZMMS facilitated a business continuity workshop for the light rail Metro section within Nexus, Tyne and Wear's transport system. The workshop involved key staff from both front line service delivery areas and support services. This ensured that a wide view was taken on risks that might interrupt business continuity. For Metro, this meant service provision, and the first part of the workshop was spent identifying all possible risks that could affect the Metro service.
The reasons for running the workshop were primarily to identify all risks to service delivery, prioritise them and then action plan the key risks. The positive factors that emerged from the workshop included demonstrating to outside bodies (inspectorate, insurance companies) and other stakeholders, such as the passenger transport authority and local councils, that Metro manages its business continuity risks effectively through a formal process. The workshop also proved very useful in its ability to increase knowledge and understanding of the risks being faced, across all parts of the organisation.
The identification stage focused around risks in respect of technological, operational, physical and possible incidents. In total, 38 risks were identified including:
Each risk identified was profiled against likelihood and impact. Before starting the risk profiling, the group discussed and agreed on the definitions of impact. Due to the impact on the ability of the business to operate as normal, it was fairly easy to agree what the different impacts - negligible, marginal, critical and catastrophic - meant. For example, the definition of a 'catastrophic' event was agreed to include:
The risks were plotted on a matrix to give a graphical representation of where the major problems occurred. Not surprisingly the majority of the risks were profiled towards the bottom end of the scale as having a low impact on the business, and low likelihood of taking place.
The next stage of the exercise was determining the appetite for risk. Each risk above the appetite line was then action-planned. This proved an informative exercise, as it consolidated all the actions already in place and identified new ones. Each risk was owned by a senior manager, and key dates and key success factors were established. The progress of the action plan is reviewed on a six month basis.
Nexus has since decided to repeat this business continuity exercise across other parts of the organisation to ensure that all possible risks are clearly identified and, where appropriate, managed. As part of an overall risk management strategy, the company feels that business continuity is a key area to focus on.