In early March IT directors and chief executives met to
discuss ways to protect the UK's critical national infrastructure
from a number of threats, chief among which was terrorism. The
conference, held little more than a week before the Madrid
bombings, could not have been more propitious in its
timing.
The nature of threats and the severity with which they may disrupt
business changes all the time and business continuity plans to deal
with them must respond accordingly. The terrorist strikes in the
Spanish capital are a reminder, if one were needed, that these
plans are not documents that can simply be produced and filed,
ready on the off-chance that they may be required.
In light of the bombings in Madrid, IT directors must revisit their
business continuity plans to see what implications a terrorist
attack might have for them. A particular area for consideration is
how a significant attack on the infrastructure within a major
metropolitan area would affect the plans currently in place.
Raising this issue is not scaremongering. Given that many security
experts now expect an attack on the UK, the threat has moved closer
than ever.
Although some organisations are compelled to act on business
continuity planning by regulatory bodies such as the Financial
Services Authority, for others the level of planning they undertake
is a commercial consideration, to be weighed against the many other
priorities in the business.
All organisations would be well advised to ensure that they not
only have a business continuity plan, but that it is tested
regularly and as rigorously as possible. The plan should be
constantly reviewed, especially in light of events such as
terrorist attacks or natural disasters. And it should consider
wider issues than simply how the business will continue to operate
in the aftermath of an attack.
The likely impact on critical partners, such as suppliers and
customers, also needs to be assessed. Auditing their plans is the
ideal way to proceed - where this is not possible, some form of
assessment of how the business would cope still needs to be
undertaken.
Computer Weekly is aware of a number of organisations that have
reviewed their business continuity plans since the Madrid bombings.
It is to be hoped that they represent simply the tip of the
iceberg, that others are also taking steps to respond to the
increased threat. It would be difficult to argue, in the aftermath
of an attack, that we had no warning.