The nature of threats and the severity with which they may disrupt business changes all the time and business continuity plans to deal with them must respond accordingly. The terrorist strikes in the Spanish capital are a reminder, if one were needed, that these plans are not documents that can simply be produced and filed, ready on the off-chance that they may be required.
In light of the bombings in Madrid, IT directors must revisit their business continuity plans to see what implications a terrorist attack might have for them. A particular area for consideration is how a significant attack on the infrastructure within a major metropolitan area would affect the plans currently in place.
Raising this issue is not scaremongering. Given that many security experts now expect an attack on the UK, the threat has moved closer than ever.
Although some organisations are compelled to act on business continuity planning by regulatory bodies such as the Financial Services Authority, for others the level of planning they undertake is a commercial consideration, to be weighed against the many other priorities in the business.
All organisations would be well advised to ensure that they not only have a business continuity plan, but that it is tested regularly and as rigorously as possible. The plan should be constantly reviewed, especially in light of events such as terrorist attacks or natural disasters. And it should consider wider issues than simply how the business will continue to operate in the aftermath of an attack.
The likely impact on critical partners, such as suppliers and customers, also needs to be assessed. Auditing their plans is the ideal way to proceed - where this is not possible, some form of assessment of how the business would cope still needs to be undertaken.
Computer Weekly is aware of a number of organisations that have reviewed their business continuity plans since the Madrid bombings. It is to be hoped that they represent simply the tip of the iceberg, that others are also taking steps to respond to the increased threat. It would be difficult to argue, in the aftermath of an attack, that we had no warning.