However, we did see a major change directly related to 9/11 on the federal, state and local government side. The formation of the U.S. Department of Homeland Security in 2002 started the ball rolling. DHS/FEMA has done a very good job in maturing the readiness of federal, state, local and tribal nation emergency operations, but it has taken years for DHS/FEMA to have an impact on private sector BCM programs. The focus on improved public/private sector communications through multi-state and national-level exercises (especially for the healthcare, financial services and public utilities sectors), the introduction of Ready.gov, and the Voluntary Private Sector Preparedness Accreditation and Certification Program (PS-Prep) are three influential changes for private enterprises.

Even though 9/11 did not have an immediate impact on BCM maturity, it did set up the framework for preparedness, response and recovery improvements since for both the public and private sectors. The majority of these improvements have been a result of the confluence of three areas:

1. Increasing natural and man-made disaster events such as SARS, Hurricane Katrina, the bird and swine flu threats, the London and Mumbai bombings, the Iceland volcanic ash event, earthquakes in Haiti, Chile, New Zealand and Japan, oil spills, the global financial crisis of 2008, major ice and snow storms and so forth;
2. Technology innovations such as Internet broadband in the home, the real-time infrastructure, virtualization, hosting/outsourcing, smartphones and tablets, social media and cloud computing; and
3. Business operating practices such as regulatory changes in response to financial fraud, telework initiatives and outsourcing non-core competencies.

Without these changes to business and IT practices, many of the improvements we see today in BCM maturity would not be possible.

We have come a long way in BCM since 9/11 and we have a longer way to go for organizations of all sizes and operating models to be prepared from even the smallest, localized threat. Gartner is committed to your success in preparedness, response and recovery activities and continues to offer clients foundational and timely research in BCM and IT-DRM through our BCM key initiative for business and IT leaders. Take our maturity self-assessment called ITScore for Business Continuity Management to jump start your journey.

U.S again under threat

Published 9 September 2011

New York City and the District of Columbia respond to “specific, credible but unconfirmed” intelligence of an impending attack; information obtained indicates a vehicle-borne bomb; NYPD deploys boats, armored vehicles and a 1,000-member counter-terror force

As the nation prepares to commemorate the tenth anniversary of 9/11, New York City and Washington, D.C. again find themselves responding to an al Qaeda attack threat.

Federal authorities have advised local officials of a “specific, credible but unconfirmed threat” to the cities centered around the commemoration of the World Trade Center and Pentagon attacks.

The intelligence community has developed a “general description”of two or three individuals who may already be in the country. Making the effort more difficult is that the individuals in question have common names.

That intelligence came from the tribal region of Pakistan, from a source acknowledged as having a reliable record by U.S. intelligence officials.

It is believed that the attackers originated their journey in Afghanistan, with a possible third-country waypoint. That third country may have been Iran.

In the language of counter-terror officials, “specific” means that there is information of the type of attack that may occur. In this case, the information indicated that a vehicle-borne explosive device, a car- or truck-bomb, was the chosen method.

Last night, official focus was on two missing rental trucks, from different rental agencies in the Kansas City, Kansas area. They were later found and determined to be unconnected with the present threat.

“Credible” is used to indicate that the source of the information is believable, comes from a reliable, knowledgeable source. U.S. signals intelligence has been listening in on the communications of one particular al Qaeda source in Pakistan, from whom officials have gleaned confirmed information in the past.

Also supporting the credibility of the intelligence is an increase in “chatter” on the communication channels that are known to be used by al Qaeda operatives.

In the trove of documents gathered from Osama bin Laden’s compound in Abottabad, Pakistan, during the raid that killed him, bin Laden showed a predilection for attacking the United States on significant dates and anniversaries, such as the upcoming 9/11 commemorations.

What has not yet been uncovered is the type of corroboration that would provide confirmation indicating that the plot is active and in progress.

New York City wasted no time in responding to the threat notification.

All bridges and tunnels entering Manhattan have been staffed with additional police and national guard personnel. Cars and trucks entering the city are being searched. Additionally, there have been checkpoints set up at various locations in Manhattan, such as Times Square and Lower Manhattan, approaching the financial district.

Key rail and subway stations operated by the Metropolitan Transit Authority, Port Authority of NY and NJ and NJ Transit have been staffed with additional officers accompanied by national guard troops, watching traffic outside stations and randomly searching backpacks and baggage inside.

New York City’s response has been thorough. Besides police officers at the bridges, tunnels and rail stations, the city has deployed radiation-detecting boats, cameras have been placed throughout midtown and lower Manhattan. If required, the NYPD has a small, unmanned submersible craft available to search the hulls of ships and boats.

Also deployed or on standby, is an “army” of 1,000 anti-terror officers, armored vehicles and weapons and EOD (explosive ordinance disposal) specialists.

Key Findings

• The earthquake and tsunami that struck the Tohoku district in March, and the power plant failures and other infrastructure problems that followed, continue to disrupt communications, transportation and other infrastructure.
• The Japanese government and Tepco have implemented a plan for rolling electrical blackouts across Tepco’s coverage area, designed to reduce power usage and avoid total power failures.
• These blackouts present serious challenges for Japanese enterprises, particularly in maintaining the operational integrity of their data centers and offering alternative system access to remote workers.

Tepco has said it will not carry out its planned rolling blackouts this summer, but electrical supply continues to present challenges for Japanese enterprises. Gartner has developed a set of best   practices for various scenarios and affected parties for IT organizations in Japan and worldwide. The appropriate response to the rolling blackout depends heavily on whether or not the enterprise’s data center has its own dedicated backup power generator.

Read more about the best practices – if you are an organization impacted by the earthquake/tsunami or not – in the full report by my colleagues  Masahiko Ishibashi, Eiichi Matsubara, Nagayoshi Nakano and Katsuo Hori.  Being a Gartner customer may be required.

The feedback from the organizations I met with pointed to a few classic problems in crisis and emergency management:

1) the lack of an authoritative source for accurate and timely information;

2) the lack of coordination regarding evacuations; and

3) the  lack of coordination regarding power shutdowns.

These problems caused 1) government web site overload from people seeking accurate information which then led to falsehoods being spread via social media sites such as Facebook and Twitter, 2) gridlock out of Brisbane on January 11, 2011 after evacuation notices were sent to central district tenants, 3) organizations not being able to gracefully shutdown their data centers due to short notice of power shutdowns, and 4) confusion and frustration between the workforce and management – not every organization immediately issued an evacuation notice to their workforce. Compounding the tension were workforce communications problems due to the lack of Internet, cell phone and land line access as well as the lack of personnel on site on January 11, 2011 due to the northern area flooding where many people live – as one would expect, they stayed home to tend to their personal crises instead of coming to work.

On the positive side, the Queensland Police Service has been glowingly praised for countering the falsehoods being spread, including one that the Wivenhoe Dam would break and annihilate all of Brisbane.

All of the organizations I spoke with stood up their crisis command/emergency operations centers – many lost IT services for a few days, many were out of their production facilities for a few weeks and as mentioned previously, some lost their buildings for good. But all managed their way to recovery success and have returned to business as usual.

I will be publishing a more detailed report on these findings in the coming months, so watch for it on www.gartner.com.

Granted, excessive snow on roofs is a rather uncommon event (even in New England), and given the number of unique crises in 2010 and 2011 – volcanic ash and a government countrywide shut down of Internet and cell phone access to name just two, the risks facing BCM managers is growing and they are getting lots of great experience in treading new tracks (snow management tracks in this case). So the question is why did the Iron Mountain situation occur given the weeks of news reports of such events taking place?

The underlying reasons for this collapse have not been made public by Iron Mountain, but I can tell you that BCM service providers are a critical group of vendors that must be included in your supply chain availability risk management program. Not just from the planning perspective, but from the crisis management perspective as well. How many firms stood up their crisis command center and pro-actively reached out to their vendors since December/2010 to understand how they were handling the excessive snow and how secure their assets are and will be if the situation gets worse? Not many I’m sure. The 2009 H1N1 crisis was one situation where some firms did do such outreach.

Customers of every records management vendor, or any vendor that houses your organization’s assets, should understand in detail what are the vendor’s guarantees regarding the safeguarding of assets in unique circumstances such as excessive snow, and understand what recourse you have if they are damaged or if the situation is too risky for them to remain in their current facility. You should also require an annual assessment report of the vendor’s own BCM plan for the facility in which your assets are stored.

If you know of other such events for BCM service providers, if your firm has stood up their crisis command center this winter or have your own experience in these situations, we’d love to hear from you.

But isn’t it obvious to do so? Are Americans THAT removed, resigned, scared, numb or distrustful to take action on what we inherently know as something “fishy”? Or, is DHS taking a page from a prior era with the major marketing success of “Smokey Bear” for fire prevention?

Depending on how Wal-Mart rolls out the program, shoppers may not even notice the announcement. I know for myself, as soon as I enter a store, I bypass anything and everything – notices, greeters and so forth – that distracts me from getting my shopping finished. It’s a rare occasion for me to lollygag. And putting diapers next to the milk has absolutely no effect on me – maybe because I don’t shop for either. But I have my list and that’s what I buy.

DHS has already rolled out “If You See Something, Say Something” in transportation environments, but in many of those forums, you are typically a captive audience – you can’t easily get off the subway to avoid the message.

What do you think? Would you notice the announcement  in a store? Would you take time out of your busy life to watch it? Are there better ways for DHS to consumer-enable the message? Let me know: I’m of two minds on this one: national security is of utmost importance but is the message channel the right approach?

I’m wondering what tools your firm is using during such events? They have to be hosted by the vendor since your data center is down. What about Yammer, SocialCast, SocialText Signals, Sametime/LotusLive from IBM, Lync/BPOS from Microsoft, Google Apps? Is anyone using them or another tool for emergency purposes, and if so, how?

Not only is it National Preparedness Month, it’s prime time hurricane season in the northern hemisphere.  Watch for alerts about the status of storms at NOAH’s National Hurricane Center.

The American Red Cross has excellent advice about preparing your home and family for a disaster.

Ready.gov – a FEMA sponsored web site – is another great resource for family disaster preparedness.

Gartner has a cornucopia of research and advice including templates, vendor analysis, best practices, sample RFPs and more for organizations that are developing, maintaining and maturing their BCM programs. Read our note:  Research Roundup: Business Continuity Management and IT Disaster Recovery Management, 2Q10 to see the breadth and depth of our coverage on all things BCM.

And watch for a new BCM tool coming from Gartner in the coming weeks. Can’t say too much about it now, but organizations are so primed for it!

So take this time to promote, assess, enhance and EXERCISE your recovery plans and procedures. If you don’t, you are missing an opportunity to get management’s attention and commitment in protecting its workforce, customers and partners from disaster events.

I’m going to check and update my Go Bag today. I found a great First Aid kit through www.melaleuca.com. I’ve already used it once at a local retail outlet.  Who knew it would come in handy so quickly after purchase!

One last thing: have you given a friend or family member a list of your user IDs and passwords for personal web sites such as healthcare, insurance, online banking, investments, email, social media applications and so forth – just in case – well you know why.

1.      We started the workshop by viewing the video “Business Not As Usual: Preparing for Pandemic Flu” from Seattle-King county.  Use it internally to educate your workforce (and senior executives) on the value of being prepared. You can request a free copy (you must pay for shipping) from NACCHO.

2.      Most of the workforce absences are expected to be a result of school closures.

3.      You must have a pandemic management process (or infrastructure) in place to handle the event as it occurs because plans are a necessary thing, but they don’t often reflect the reality of the specific situation. Policies decided upon on Monday may not apply to the facts of Tuesday’s situation.

4.      Some firms are talking to public health officials about hosting vaccine programs in their work facilities, or at least trying to secure the vaccine for their critical workers, e.g. electricity generation operators. However, some are concerned about the legal liability issues if they haven’t engaged in this type of public health activity in the past.

5.      On the point of electricity generation operators – If these folks get the flu, and the generation facility is on the small side, they could shut it down because they don’t have enough staff to operate.  That shutdown means blackouts – or “rotating feeder outages”.  We could see more power outages as a result of H1N1 – a connection that most folks aren’t making, but for pandemic planning would be covered under the traditional BCM plan.

6.      Organizations are struggling with human resource policies regarding how to compensate workers if they do have the flu, especially if the worker has already used their allotted personal time off days or sick days. Some are offering extended time off options, but not everyone.

7.      Work-at-home solutions are at a high risk of failure if the work-at-home population in any given area reaches anywhere close to the 40% absentee rate. Internet bandwidth supply is not adequate to meet the demand. (Gartner is publishing a research note on this topic specifically.)

8.      Similar to the results of my June/2009 survey, many firms are not including IT vendors or IT service providers in their efforts. See my note: A Perilous Practice: Not Planning for IT and Data Center Operations Support During a Pandemic, G00169949. (You may have to be a Gartner client to view it.)

9.      Most firms expect to implement workforce travel restrictions once a pandemic strikes.

10. Most firms are trying to balance their protective mask usage policy between protecting the workforce and not offending customers. The firms who have direct and frequent contact with the public (for example retail operations) request that workers wear a mask when escorting a sick person out of the building only. Those firms that don’t have direct public contact public allow their workers to wear masks based upon their personal comfort level.

11. Those firms that have public congregation areas plan to close off those areas once a pandemic strikes. For example, bank branch lobbies will be closed and only the drive-up window will be open.

12. Firms with workers who must make home visits have equipped those workers with protective gear such as masks, sanitizer fluid for the hands and steering wheels of their cars/trucks, disposable gloves and so forth.

13. You can’t build your preparedness plans using workers’ personal information that has been gathered through the normal social networking in the work environment.

14. Some firms are concerned about law suits as a result of family members getting the flu from the firm’s employee.

15. You can’t expect to get resources from your local neighbors, partners and so forth because everyone will be in the same situation when the pandemic strikes.

16. Your plans and handling process must include actions that will assist you to return to normal operations once the pandemic is over.

17. You must include cultural differences in your plan activities. For example, blood transfusions may be refused if they are not from a person with the same national origin as the intended recipient.