Sharon Roots discusses the need for business continuity planning, highlighted by recent acts of terrorism in London

The bombings in London on Thursday 7 July 2005 and the subsequent unsuccessful attacks have led to the worst carnage and disruption due to terrorism for more than a decade.

The emergency services and local authorities relied on highly evolved emergency plans to deal with the immediate impact of the terrorist attacks. These plans had been developed and tested, but not put into practice at such levels before July. But what about business continuity?

How many organisations were prepared for their staff not turning up for work, or had considered not being able to access their buildings or rely on their normal routines? In the worst case how many would have been able to cope with the loss of key staff?

Public sector organisations face a double edged sword. Not only must they prepare for a disaster, but they must also be prepared to deliver exceptional and extreme levels of service while dealing with the impact of such a disaster.

The potential consequences for the public sector of a failure to identify and manage significant threats could result in both human and service costs. These could include:

- inability to maintain essential services to the public
- damage and loss of reputation
- significant failure to protect assets (people and property)
- failure to meet legal or regulatory requirements.

Business continuity methodology requires precautions to be taken in all areas of the organisation to reduce the risks involved, while recognising that eliminating those risks completely is not possible.

Public sector organisations face multiple expectations:

- the public expect plans to be in place to ensure continuity of service
- stakeholders expect management to be in control and to be seen to be in control
- staff and suppliers expect protection of their livelihoods.

So business continuity planning is good (risk) management.

Those plans should consider a range of issues, such as peoples' means of transport into work. In the recent incidents, the resulting disruption left people unable to get home, and unwilling or unable to turn up the next day.

Consider too the psychological impact, not just on those close to a real event, but also on those whose worry about the safety of loved ones may distract them from their work. Do organisations know the whereabouts of their executives, and can they contact them quickly? Do they have up to date records of next of kin and accurate contact details?

How do employers manage this? It is not the usual thing that has to go into a business continuity plan, but planning for the possibility could avoid considerable disruption in the hours and days following a terrorist attack.

Service as usual

The recent attacks have brought home the extent to which business continuity is an essential part of the armour public sector organisations use to ensure that everything can carry on as normal. Indeed, many public sector bodies refer to business continuity as 'service continuity', seeing themselves as service providers to the public not in business.

The newly established statutory duty for public sector bodies, enshrined in the Civil Contingencies Act of November 2005, is laudable but many public sector organisations find business continuity planning a new learning curve. Therefore ALARM, in partnership with Insight Consulting, has launched a Guide to Service Continuity Planning (SCP) that will be available to members of ALARM on the website. This gives practical help in designing an SCP with examples and case studies.

However, the Act requires more than organisation-wide plans. It was specifically written in the recognition that a response to a disaster of these proportions needs to be coordinated across multiple agencies, including the emergency services, the local authorities (in this case several local authorities) and the health authorities.

Delegates at ALARM's recent annual conference debated the effectiveness and the roll-out of the requirements of the Act. Some 80% of the delegates at the relevant workshop were unaware of the responsibilities assigned to them in the community risk register, were unable to identify the relevant representative at the Local Resilience Forum (LRF), or were unaware of any preparation within their own organisations.

They were challenged to go back to their employing organisations and drive their business continuity plans from the bottom up, with the emphasis on the extreme responses required in the face of a disaster. Ironically, this message was delivered to delegates two days before the events of the 7 July.

ALARM remains fully supportive of the premise of the Act, and is anxious that its members' expertise is fully utilised in multi-agency planning and preparation. However it does remain concerned that the establishment and effectiveness of LRFs have been slow to provide tangible outputs.

It is generally accepted that London, through the London resilience programme, is better prepared than most for dealing with such a disaster - quite properly, given its higher risk as a target. However it is essential that all public sector organisations consider that a disaster could happen to them, and that they have plans in placed based on a risk management methodology. Robust, risk-based planning will ensure a best response based on preparation rather than heroism.

Sharon Roots is chairman of ALARM - The National Forum for Risk Management in the Public Sector,