Crisis contingency planning
During 2007 a UK coal fired power station was invaded in the early hours of the morning by a group of protestors
The group was well-organised and had surveyed their target thoroughly. They quickly overcame fences and cameras, and the two security guards on shift.
Equipped with protest banners and climbing gear, their aim was to climb the stack and stop conveyers delivering coal to the power station. In doing so they exploited a single point of failure, the unique safety key for the conveyors. With no spare or bypass for the conveyer the group were able to turn what was a high profile stunt into a business disruption event by preventing power generation at the site until a reactive workaround was identified.
In today's changing climate of political and economic risk, the importance of contingency planning within security risk management cannot be underestimated. Understanding the impact of a risk event is crucial in achieving resilience within an asset or supply chain.
In determining the mitigation strategy for security risks it is just as important to understand the functional value (to the business or operation) of an asset, as it is to understand the threat environment in which it operates. But for critical infrastructure, where the risk manager may not have the option of tolerating, transferring or terminating the risk, a treatment strategy that includes integrated contingency planning is essential.
Given the nature of current threats (terrorism, trans-national crime, civil unrest etc) the approach of reducing the likelihood of the risk event through systems-based control measures alone does little to reduce the attractiveness of the asset and its value to the threat source (reward). Often in these instances, access is the only motivation irrespective of personal consequence.
In the case of the power station, faced with a direct-action threat, a significant reduction in the likelihood of an event is better managed by third parties (Police, security services, information sources) than through costly target hardening of existing controls.
However, there is much that can be done to reduce the impact of such an event. Planning isn't confined to holding duplicate safety keys for the coal conveyer. It should also aim to minimise disruption to the business or operation through isolating the risk event whilst allowing the unaffected activities to continue. A strategy should focus on the critical assets within the power station, and its supply chain, ensuring there are no single points of failure. Where key processes are interrupted, other assets may be brought online to ensure continuity. Plans should also address how such incidents are communicated to avoid secondary impacts on public and shareholder confidence.
In our experience, effective contingency planning must:
- Use a risk based approach;
- Understand the threat to, and operational context of, the asset to ensure an effective mitigation strategy;
- Identify all stakeholders (internal and external) in the asset's supply chain;
- Update crisis management plans and test the crisis team regularly with realistic scenarios;
- Use risk treatment strategies that balance risk prevention with impact reduction;
- Ensure that business continuity goes beyond back-up generators and extra widgets! - it must consider the supply chain of the business or asset to identify potential single points of failure; and
- Understand that a prepared business or operation is often a resilient one!
James Lewry, Practice Leader, Crisis and Security Consulting, Control Risks
