Risky Business
Issue 36 - Nov 07

In a world where the spectre of terrorist attacks looms large for
international companies, risk assessments and business continuity planning (BCP) have become a part of everyday life. Yet if someone really wanted to attack your facility and cripple your business, they could still do it. Claire Saeki asks whether the BCP is worth the paper it’s written on.

If somebody or something wants to get you, they probably can. Some of the biggest risks are internal anyway, and when it comes to natural disasters, well,
we’re all experts in hindsight. As a manager of any type of facility can tell you, going through the whole process of ‘if this, then that’ and ‘when this, follow with that’ is often more worrying than productive. As the number of possible calamitous situations to consider increases (who thought about tsunamis before 26 December 2005 or bottled water when flying before 2007?) it might be tempting to throw hands in the air and hope that people will just have a bit of common sense when something goes wrong.

The first and most common complaint is that the risks and permutations of damage are endless. It is hard to know where to start. According to Ace Esmeralda, a security consultant who has managed a number of facilities including a long stint with the Shangri-La Hotel group, all BCPs are works in progress and have to be viewed as that. The nature of the document is that
it cannot ever truly be complete, but must be in place because of events which “can happen at anytime”. Without wanting to sound alarmist, Esmeralda believes
preparation is the key, and cooperation is the essential to prepare for the different possible scenarios. Once top management support has been secured, the first
step should be the formation of a planning committee to formulate the policies and procedures for the BCP.

As the BCP affects the survival of the business itself, not to mention possible loss or injury to human lives, it is advisable to get specialist professionals involved.
The best time to seek help is as early as possible, because disasters and crises do not follow strategic plans or business road maps. To avoid any conflicts
of interest, it is advisable to engage independent consultants who have no linkages to the supply of products or security guards, Esmeralda concludes.

Ramil Meravillon, Security Manager, Wyeth, Philippines accepts that generally, BCPs are designed to be generic in order to encompass a range of anticipated situations. Sometimes generic is appropriate- in an incident where a typhoon interrupted electricity, communications and transportation across Manila for more than 36 hours, a contingency plan that was created to address an unspecified unforeseen event was sufficient. He says planning for specific risks such as an avian flu pandemic can be tailored in accordance with the best practices in
different countries. BCP implementers can then make modifications within the available resources of the particular region and industry involved.

This leads to the next complaint of beleaguered FMs: there is no one-size-fits-all BCP and that the experiences of people operating different types of facilities are all different. However, help is at hand. The first stop should be your local industry associations. Security associations can help with general BCP processes and risk assessment. Facility management associations or specialised industry groups might have subgroups or resources with more specific information.
IFMA, for example, has a special airport council because of the unique challenges in those types of facilities. Formed in 2003, The Airport Facilities Council has a particular focus on benchmarking, security practices, business development and emergency/ disaster planning.

Particularly in hotels, where the types of disasters are so varied and hotel guests are generally new to the building and the area a workable plan involves extensive planning, and, says Esmeralda any BCP “relies heavily on the regular hotel staff. They are the ones who execute the planned and practiced procedures”. He says contingency plans must be “user friendly and not dependent on the initiative of guests alone”. Simple evacuation routes posted in easily findable places and safety warnings are still only sufficient if they are implemented during an emergency. He goes on to describe how he put a plan into action during the
failed coup d’état in the Philippines during 2000. In this case, a military adventurist seized a five star hotel in Makati and planted bombs within the immediate
vicinity. While this precise scenario had obviously not been contemplated,
the contingency plan had some procedures in place that could be used to protect the safety and security of all the guests.

not just the building
Only in rare cases are facilities so badly damaged that business cannot continue at all. The main risk most businesses face is loss of reputation and customer nerves. Having a strategy and knowing well in advance which parts of the business are crucial, not just to physical operations but also to reputation, can guide the whole BCP process thus making it significantly easier.

The core service provided by a company or organisation should be the BCP starting point. However, some plans are specific to an event where security teams must anticipate greater than normal risks. Teddy Wong looks after security at Hong Kong University and says that in terms of risk, in general Hong Kong universities are remarkably safe places. Having said that, students being students means that when VIPs or political figures visit the campus, additional security plans are required to cover crowd control and contingency for any troublemakers trying to injure of hinder the progress of the target individual. Perhaps these activities are not equivalent to full-scale terrorist acts but there is the risk of political activism going too far and threatening human or building security.

BCP for HKU means prevention rather than cure. Providing information to people who regularly visit the campus via email blasts on crime statistics has reduced
the number of reported thefts on campus. Wong’s team also get in early with new campus developments by working with architects and other groups involved in
the construction process. They hope to counter a more “challenging” open environment by installing more security cameras to provide information on crowd,
traffic and security. All threats are considered and planned for, and in his six years of service at HKU Wong is lucky enough not to have had to implement any BCP for a major security disturbances.


Business parks offer a similar type of environment to a university campus although they are generally even less unified. At Hong Kong’s Science and
Technology Park in Sha Tin, management has made an effort to encourage the
public to use the 70 percent green space around the buildings by riding on the bike path or running around the grounds. For this reason the buildings themselves are kept very secure through CCTV, physical patrols and sophisticated access control systems as the intellectual property residing in the laboratories or elsewhere on the premises is of great importance to the science park tenants.

can monitoring and access control can plug the BCP gaps?
Not really, says Maravillon. “As a rule of thumb, technology cannot replace the
efficiency of human systems, no matter how sophisticated the technology installed
in a facilities, it is still humans who will react”. As Esmeralda explains, “We can use technology to mitigate the impact of critical or crisis situations but the purpose of BCP is to prepare for the event when all monitoring system fail or are simply overloaded. Examples are the earthquakes, tsunamis and hurricanes. BCP is for all industries since the threats are not only physical in nature but could also be against damage to brand perception and image. BCP is for the restoration of the business operation, which is the goal of all businesspeople and investors.”

Maravillon says that a “paper plan” is always necessary for the purposes of regulatory or corporate compliance but the working plan “should be feasible and realistic” and cover almost all eventualities. “In the event of actual emergencies, one has to learn from experience, document it for review and enhance the plans, there are no perfect emergency plans, but there are effective plans.”



Developing a comprehensive yet flexible BCP is also vital in purely economical terms, because damage to the building physical infrastructure is just a fraction of potential losses says Maravillon, whereas “closing it to the public is a total disaster.” Operations should continue if feasible in a hotel, but for office, retail and
industrial facilities, establishing a location for an offsite facilities needs to be part of the BCP process. Unlike the recent explosion, after a bombing of a mall in Makati in December 1998 instead of closing the whole mall because of the
bombing, managers just placed a hoarding on the affected area, released a statement that the incident was not a terrorist act, and after some 30 minutes, business continued as usual. In closing, Maravillon shares a quote from a book written by Erik Auf der Heide entitled: “DISASTER RESPONSE: Principles and Coordination pp 37:

“likely behaviour versus correct behaviour.
Disaster plans are often written in the belief that people ought to behave according to the plan. The plans state what people “should do”. A more successful approach is to design the plan according to what people are “likely to do”. Plans are easier to change than human behaviour.” RFP

As a rule of thumb,
technology cannot replace the efficiency
of human systems, no
matter how sophistica-
ed the technology

NOMINATE NOW

Subscribe Now

Sign Up for Ezine

Past Issues