Are you ready? Three years after 9/11, CEOs have made scant progress in keeping their companies safe.On Sunday, Aug. 1, the financial services The examples and perspective in this article or section may not represent a worldwide view of the subject. Please [ improve this article] or discuss the issue on the talk page. industry was caught in terrorist crosshairs again. Nearly three years after thousands of money-center workers were killed in the attacks on the World Trade Center, Homeland Security Noun 1. Homeland Security - the federal department that administers all matters relating to homeland security Department of Homeland Security executive department - a federal department in the executive branch of the government of the United States Chief Tom Ridge Thomas Joseph Ridge (born August 27 1945 near Pittsburgh, Pennsylvania) is an American politician who served as a member of the United States House of Representatives (1983–1995), Governor of Pennsylvania (1995–2001), Assistant to the President for Homeland Security announeed that Al Qaeda was plotting to blow up major markets, banks and international lending organizations with truck and car bombs. [ILLUSTRATION OMITTED] The next day, the CEO (1) (Chief Executive Officer) The highest individual in command of an organization. Typically the president of the company, the CEO reports to the Chairman of the Board. of one of the nation's top financial services firms, who had mostly kept his distance from security issues, called a flurry of early morning meetings with his experts in risk management and disaster planning disaster planning - disaster recovery . Clearly agitated ag·i·tate v. ag·i·tat·ed, ag·i·tat·ing, ag·i·tates v.tr. 1. To cause to move with violence or sudden force. 2. by the latest threats, he told his staff that a plan had to be designed to protect employees and continue to serve customers. Insiders recalled that the sessions resembled meetings they had right after Sept. 11, 2001. [ILLUSTRATION OMITTED] What's going to happen this time? "Not much, I fear," confided one person who attended the meeting. "It was panic. He didn't even give a firm date for when he wanted to see draft proposals. And besides, isn't it a little late, when the danger is at your door, to begin to figure out how to defeat it?" Many CEOs are facing that question now. To say nothing of the tragic loss of lives, September 11 was an expensive lesson for corporations with huge losses from disruptions that affected data centers, supply chains, communications links and numerous other critical operations. But despite these costs, few CEOs have followed through on promises to be fully ready the next time a terrorist attack occurs. In general, top executives put a greater premium on meeting financial performance benchmarks than on decreasing risk. Corporate security chiefs, viewing their jobs in that prism or untrained in more sophisticated risk-management techniques, focus mostly on activities that recoup lost money, such as thwarting theft or embezzlement embezzlement, wrongful use, for one's own selfish ends, of the property of another when that property has been legally entrusted to one. Such an act was not larceny at common law because larceny was committed only when property was acquired by a "felonious taking," i. , according to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. security experts at major companies and leading security consultants. "It's the human instinct of denial as the memory of an incident fades," says Jack Devine, a 32-year veteran of the Central Intelligence Agency and president of The Arkin Group, an intemational crisis-management firm. "The recent spike in terrorist threats has elevated concern again. But before that, security planning was clearly on the downside On the Downside is an EP by the San Diego, California band Counterfit, released by Alphabet Records in 2000. It was the band's first EP, recorded shortly after the members had relocated to San Diego from Fairfield County, Connecticut. of anyone's interest. Most companies are not much more prepared today than they were before 9/11." Outsourcing Makes Security Elusive In some ways, CEOs are even less prepared because of how they've been managing their businesses these past three years. An emphasis on outsourcing many functions to distant lands has made it more difficult to fully understand the nature of threats--or what would happen to U.S. operations if, for example, a call center or production site were to be wiped out in India. The intense focus on globalizing supply chains and making them increasingly time-sensitive has introduced new complexities into guaranteeing security. Purchasing from suppliers in potential trouble spots, such as part of Asia and South America South America, fourth largest continent (1991 est. pop. 299,150,000), c.6,880,000 sq mi (17,819,000 sq km), the southern of the two continents of the Western Hemisphere. , has increased significantly in the past few years as companies seek less expensive products to feed just-in-time inventory systems Just-in-time inventory systems Systems that schedule materials to arrive exactly when they are needed in the production process. . In meeting these goals, companies tend to balance only cost and service as they try to get products of a specific quality within a certain amount of time for the least amount of money. But in making this calculation, CEOs typically fail to consider the expense of an unexpected supplier plant shutdown or a transport disruption that makes it impossible to get materials shipped. Consequently, many critical supply chains are extremely vulnerable, say security experts. "A lot of companies have backed off doing anything about protecting their supply chains, because there hasn't been a significant attack in three years," says Joe Martha, a vice president for supply chain practice at Mercer Management Consulting Noun 1. management consulting - a service industry that provides advice to those in charge of running a business service industry - an industry that provides services rather than tangible objects . "But this is unrealistic. There could be a disruption any day and CEOs have to ask themselves if one day of lost production--and it's likely they'll lose more than that--is worth not keeping three, four or five days of extra inventory." The general lack of preparedness was writ large by an incident that occurred coincidentally co·in·ci·den·tal adj. 1. Occurring as or resulting from coincidence. 2. Happening or existing at the same time. co·in on the same day as the disclosure of new security threats. Hundreds of American Airlines American Airlines Major U.S. airline. American was created through a merger of several smaller U.S. airlines and incorporated in 1934. It continued to buy the routes of other airlines, becoming an international carrier in the 1970s; its routes include South America, the and US Airways airways Anatomy The 'pipes'–trachea, bronchi, bronchioles–through which air passes to and from the alveoli. See Small airways. planes were grounded when a computer glitch A temporary or random hardware malfunction. It is possible that a bug in a program may cause the hardware to appear as if it had a glitch in it and vice versa. At times it can be extremely difficult to determine whether a problem lies within the hardware or the software. See glitch attack. , apparently caused by an employee's mistyped command, scrambled a flight-operations network managed by Electronic Data Systems. As badly as the airlines were harmed by the September 11th attack, security experts found it alarming that carriers still lacked basic backup systems Noun 1. backup system - a computer system for making backups ADP system, ADPS, automatic data processing system, computer system, computing system - a system of one or more computers and associated software with common storage to thwart a virus placed by a terrorist (or even a disgruntled dis·grun·tle tr.v. dis·grun·tled, dis·grun·tling, dis·grun·tles To make discontented. [dis- + gruntle, to grumble (from Middle English gruntelen; see worker) and keep their planes in the air. A recent survey illustrates well CEO sentiments about security. In late 2003, PricewaterhouseCoopers conducted nearly 1,400 interviews with CEOs worldwide. Fifty-nine percent said that overregulation is either a significant or big threat to their businesses' growth prospects. Only 40 percent felt that global terrorism represented a meaningful threat. Moreover, about 70 percent of CEOs were confident that their companies had "formal enterprisewide" risk-assessment programs and responses in place. Put another way, CEOs generally view Securities and Exchange Commission Chairman William Donaldson
Charles William Donaldson (January 4, 1935 - June 22, 2005) was an English satirist, writer, rake and playboy, author of The Henry Root Letters. as more dangerous than Osama bin Laden Osama bin Laden: see bin Laden, Osama. . But another set of responses refutes the logic of this conclusion, says Joel Kurtzman Joel Kurtzman is a Senior Fellow at the Milken Institute. His research focuses on globalization and its risks. He is also Executive Director of the Milken Institute’s SAVE Project which focuses on energy security and climate change. , the PricewaterhouseCoopers partner who led the study: When the CEOs were asked if they have the information they need to manage risk across their organizations, only 26 percent strongly agreed. A mere 23 percent said that a common terminology and a set of standards exist at their companies to tackle risk. "What this says is that CEOs have the same false sense of security as everyone else," says Kurtzman. "They like to believe that there are no real external threats to their organizations, because they have shielded themselves from these threats. But when prodded to describe the protections that they have in place, they have to admit, not many." [ILLUSTRATION OMITTED] This attitude is particularly surprising because of the cost of an unexpected incident, whether a terrorist attack, a natural disaster, an accident, an environmental foul-up or any other unforeseen event. Some industries--airlines, financial services and manufacturing, to name a few--still have not fully rebounded from 9/11. And based on figures that emerged during the West Coast dock workers' strike in 2002, if a terrorist used a commercial ship or container to detonate det·o·nate intr. & tr.v. det·o·nat·ed, det·o·nat·ing, det·o·nates To explode or cause to explode. [Latin d biological or chemical weapons at U.S. ports, which are still virtually unprotected, sea lanes could be closed for upwards of 90 days at a cost of more than $50 billion to American companies, according to Naval security expert Rear Admiral James Miller James Miller may refer to any of the following individuals:
Any tangible commodity purchased by households to satisfy their wants and needs. Consumer goods may be durable or nondurable. Durable goods (e.g., autos, furniture, and appliances) have a significant life span, often defined as three years or more, and company has its main regional warehouse could take a percent or two of sales out of a quarter's results. Some industries, by their nature, are having trouble preparing for disaster. Sources in the telecom industry, for example, say that, although the providers are taking threats seriously and will set up multiple redundant data systems for corporate customers willing to pay for them, there is simply no real way to bomb-proof telecom lines. Of all major industries, the financial services sector appears to have done the most to prepare. Many top Wall Street firms have set up "mirror" facilities that allow them to ship data from their primary operating centers to the backup facility in real time, or very close to it. But those mirror facilities are often located within 30 miles of the primary data processing data processing or information processing, operations (e.g., handling, merging, sorting, and computing) performed upon data in accordance with strictly defined procedures, such as recording and summarizing the financial transactions of a sites. Morgan Stanley  To comply with Wikipedia's , the introduction of this article needs a complete rewrite. , for example, has a site in Westchester, and Citigroup's backup site A backup site is a location where a business can easily relocate following a disaster, such as fire, flood, or terrorist threat. This is an integral part of the disaster recovery plan of a business. is also within a 30-mile radius. That simply may be too close. And no one knows how those backup sites will operate if the firm's entire IT staff is eliminated or is unable to reach the backup site. Even insurance companies aren't sure how to measure this kind of risk. In general, underwriters insure only about 25 percent or less of a company's worldwide risk. A great deal of extended liability, such as the potential loss of key materials after a supplier's operations are shut down by an attack, is usually not covered not covered Health care adjective Referring to a procedure, test or other health service to which a policy holder or insurance beneficiary is not entitled under the terms of the policy or payment system–eg, Medicare. Cf Covered. , indicating that insurers are still uncomfortable with measures companies are taking to secure their operations. In a narrow number of cases, though, for companies that have gotten serious about risk management, setting up protections for supply chains and other overseas operations, insurers are more willing to underwrite a greater amount of coverage. They work with companies to produce hedging programs in which exposure is shared among underwriters, the companies themselves and investments in derivatives and other financial instruments. That leaves CEOs to figure out just how to get serious. One of the most important pieces of being ready for an attack, say experts, is careful examination of the most critical aspects of a company's activities, including extended relationships with third party suppliers and business partners, to locate the weakest links. For example, after 9/11. Ford Motor was forced to idle five plants and production dropped by 13 percent in the fourth quarter of 2001 because its Canadian-manufactured engine parts sat for days on trucks trying to cross the U.S. border. Ignoring the dangers of this sole-source arrangement, the automaker had failed to contract beforehand with an alternate supplier in the lower 48 states. [ILLUSTRATION OMITTED] Some companies that learned costly lessons three years ago have made changes to guard against future incidents. Toyota, a company that prides itself on efficiency, was forced to slow down production of its popular Sequoia SUVs in its Princeton, Ind., factory after 9/11. That's because it only belatedly be·lat·ed adj. Having been delayed; done or sent too late: a belated birthday card. [be- + lated. discovered that a key supplier, Continental Teves, couldn't deliver parts because it was overly reliant on another German company for steering sensors, which were grounded in Europe by the moratorium on flights. Since then, Toyota, among the few companies in the past few years to take the broadest view of security--also called extended enterprise risk management or resilience planning--has demanded that each of its top suppliers design a security plan that offers alternative arrangements in case a primary source is disrupted. Continental Teves, a German company with U.S. headquarters in Auburn Hills, Mich., reacted by signing agreements with shippers to carry German parts by boat to North America North America, third largest continent (1990 est. pop. 365,000,000), c.9,400,000 sq mi (24,346,000 sq km), the northern of the two continents of the Western Hemisphere. if airplanes are grounded. And the company now maintains a two-week, rather than a one-week, inventory of sensors. Maintaining "buffer" stock, or extra inventory on hand, during dangerous periods or when key suppliers are located in potential tinderboxes is one way to prepare for anything that might come along. Just-in-time inventory systems become just-in-case networks. Equally important is setting up secondary sources for critical parts that can be tapped if a supplier or a distribution channel is shut down. And companies should continually assess their supply chain to patch the weakest spots, paying greatest attention to materials and supplies earmarked for their best performers. "In general, companies whose supply chains survive an unexpected incident intact have looked closely at their business units beforehand and determined that, for instance, 62 percent of their revenue is generated from these three products," says Gary Lynch Gary G. Lynch, an attorney, is the Chief Legal Officer for the New York investment bank Morgan Stanley. Lynch graduated from Syracuse University in 1972. He received his J.D. degree from Duke University School of Law in 1975. , president of management consultantcy Xeno, who advises executives at ADP (1) (Automatic Data Processing) Synonymous with data processing (DP), electronic data processing (EDP) and information processing. (2) (Automatic Data Processing, Inc., Roseland, NJ, www.adp. , Pepsi and Citicorp, among others, on risk strategies. "And they've designed preventive plans to protect those three products at all costs." Cost vs. Security Despite the evidence that risk can be managed, many CEOs feel they are handcuffed by fiscal realities and are unable to give risk management a lot of attention. As the PwC survey showed, dealing with Sarbanes-Oxley is very much on the minds of CEOs--and the costs of it are frequently quite high. Some of the larger companies have earmarked anywhere from $10 million to $100 million annually over the next few years to meet the law's mandate that public companies certify to having systems in place to unearth and protect against financial fraud, according to PwC's Kurtzman. For businesses struggling to become profitable again, such as the airlines, or saddled with the slimmest of profit margins, like automakers, consumer goods companies and retailers, an additional $10 million or more to pay for extensive and ongoing protection from external dangers is beyond the budget. [ILLUSTRATION OMITTED] What's more, for many CEOs, the goal of increasing shareholder value often collides with the notion of improving their companies' ability to withstand a business disruption. For example, the growing and risky practice of relying on single sources for critical components or products may be bad risk management but good business. because these exclusive partnerships with favored suppliers usually nail down the best prices in the marketplace. "There's tension in the C-level ranks to squeeze a tremendous amount of cost out of their systems," says Jeff Holmes, executive vice president at Manugistics, a software company that has helped develop supply-chain management programs for dozens of corporations, including BMW BMW in full Bayerische Motoren Werke AG German automaker. Founded as an aircraft engine manufacturer in 1916, the company assumed the name Bayerische Motoren Werke and became known for its high-speed motorcycles in the 1920s. , Ford, Deere and Continental Airlines. "In doing that, companies have become more and more dependent on overseas or independent suppliers and partners for sole sourcing and have not created alternative contingency purchasing plans." As a result of cost concerns, most security programs tend to be overweighted on plant and employee protection--in essence, the last but perhaps least expensive line of defense. Since 9/11, Kroll, one of the world's largest risk-assessment firms, has experienced huge growth in physical security jobs. The projects include erecting hardened barriers around buildings, starting employee identification systems, creating contingency plans for evacuation and training bodyguards for top executives, according to Chris Gniet, a vice president at the company. Also playing into the lack of high-level risk-management initiatives at companies are the kind of security advisers CEOs have chosen to rely upon. In many instances, CEOs have responded to 9/11 by hiring chief security officers with impressive resumes--former Secret Service or FBI agents--but very little strategic expertise. Their experience stems primarily from flanking a perimeter to protect ranking officials from harm or investigating crimes. When CEOs turn over the task of protecting their companies to these specialists, they get good tactical results, but nothing in the way of safeguarding an extended supply chain or a thorough analysis of hiring practices at a partner's overseas factory. In fact, the training that security officers have traditionally had has become so irrelevant to what companies facing international disruption actually need that one of the leading risk-management certification groups recently changed its curriculum to focus on producing executives capable of handling strategic aspects of security, data recovery and disaster planning. "Starting in the past year, the curriculum has become more sophisticated," says Thomas Mawson, executive director of DRI See Digital Research. International, which has certified nearly 3,000 security professionals. "Courseware has been rewritten to teach business continuity planning Business Continuity Planning (BCP) is an interdisciplinary peer mentoring methodology used to create and validate a practiced logistical plan for how an organization will recover and restore partially or completely interrupted critical function(s) within a predetermined and execution to groom people for chief risk officer positions that can be of value to the CEO." [ILLUSTRATION OMITTED] But even with the right advisers, security experts say, ultimately it is up to the CEO to make business continuity and risk management a priority and justifying the costs. If there is one lesson that CEOs should have taken away from 9/11, says former CIA CIA: see Central Intelligence Agency. (1) (Confidentiality Integrity Authentication) The three important concerns with regards to information security. Encryption is used to provide confidentiality (privacy, secrecy). official Devine, is that if you wait for something to happen, it will. "The CEO who gets deeply involved in risk management is going to be very, very happy some day that he did," says Devine. "It's that or face a chaotic future." |
|
||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion