When the British government wanted to test the resiliency of its financial institutions, it commissioned "an afternoon from hell". The buildup started on a Monday morning last November. First, there was a failure in the clearing systems used to transfer money between banks after routine systems maintenance. Then, terrorists staged a series of bomb attacks around Britain, causing hundreds of casualties in London and considerable damage to major financial centres. Around the same time, malicious hackers tried their best to break into the banks' systems.
All in all, 'twas was a bad day. The disaster recovery simulation was organized by the Tripartite Authorities, a group comprising the Financial Services Authority, the UK Treasury Department and the Bank of England.
Monitors from KPMG, the consultancy that created the scenario, watched from 14 sites around London as 80 companies and more than 3000 participants worked to keep their staffs safe and their operations running.
The goal was to create a situation that appeared realistic, to show how the police and other government agencies would react, says Rick Cudworth, a KPMG partner who heads Business Continuity Services. So actors on a closed-circuit TV channel broadcast "news". A secure Web site presented crisis updates for participants to monitor developments, says Rob McIvor, head of media relations for the Financial Services Authority.
For HSBC Bank and others in the Canary Wharf financial district, the scenario included a special wrinkle: Dangerous hazards prompted police to prohibit access to the area. This prevented HSBC employees from accessing the bank's contingency site, says Neil Brazil, press officer for the bank. After the exercise, the bank began to work with police to refine emergency plans, he says. Brazil says HSBC weathered the scenario "without any of our customers experiencing any problems".
This was the second year that such an exercise has been held in London, with approximately 45 more companies participating than in 2004. It is one of several initiatives by the Tripartite Authorities to bolster the finance industry's contingency plans - begun before terrorists struck London's subway and bus system last July. A report on November's exercise, with recommendations for businesses, is set to be released by early March, McIvor says.
If a report released by the Tripartite group in December is any indication, there will be many lessons. That survey, called the "Resilience Benchmarking Project", asked about 60 financial companies 1000 questions and generated reports to show how businesses compared with their peers. Several participants described these questions "as a wake-up call in terms of improving business continuity teams' understanding of their firms' critical business functions", the report said.
McIvor says "Resilience Benchmarking" is prompting companies to examine plans for allowing staff to work at home in the case of an emergency, or plan for transporting workers from London to an alternative site to continue business operations. Also, firms need to focus on staff. "We were quite surprised by the small proportion of firms that had immediate access to next-of-kin data," McIvor says. He added that more companies are setting up multiple operations.