Health and safety within the UK has a bad name, it is often ridiculed in the tabloid papers and there is no shortage of stories about ridiculous decisions made, wrongly, in the name of health and safety. One of the oldest urban myths is that children have to wear safety equipment to play conkers. For those of you who are not familiar with the game according to Wikipedia “conkers” is a traditional children’s game in Britain and Ireland played using the seeds of horse-chestnut trees – the name ‘conker’ is applied to the seed. The game is played by two players, each with a conker threaded onto a piece of string: they take turns striking each other’s conker until one breaks”.
According to the Health and Safety Executive’s website they say this is an urban myth and they’ve added the following to their website “This is one of the oldest chestnuts around, a truly classic myth. A well-meaning head teacher decided children should wear safety goggles to play conkers. Subsequently some schools appear to have banned conkers on ‘health & safety’ grounds or made children wear goggles, or even padded gloves! Realistically the risk from playing conkers is incredibly low and just not worth bothering about. If kids deliberately hit each other over the head with conkers, that’s a discipline issue, not health and safety”.
I think the recent fire in the Kiss nightclub in Santa Maria in Brazil and the death of 235 people has put health and safety into focus. I am not going to second guess the investigation, but I suspect that if all the health and safety precaution were in place, which we have in the UK, there would not be the same number of deaths. Last year there were garment factory blazes in Karachi and Lahore in Pakistan which killed 300 workers including children. The windows in the both factories were barred and in one case, emergency services had to break down a wall to rescue employees. Good fire precautions would have prevented the fire or at least allowed the majority of the staff to escape the fire. When people moan about health and safety, I always reply, “Nobody goes to work in the morning expecting to die”. When people are killed or injured at work it is often because they have ignored the rules which were there to keep them safe.
So coming back to business continuity, what is the relevance of health and safety to business continuity?
- During an incident it is always tempting to “play the hero” and in the life saving phase of the incident this may be appropriate. What we need to make sure is that, beyond the life saving phase, we do not put ourselves at risk. Post incident, employees may think the situation merits circumventing health and safety rules to recover quicker. As managers, managing the recovery, I think we have to make sure that the staff responding to the incident is aware that they should not put their lives in danger and normal health and safety rules apply.
- Another time we may put ourselves in danger is working long hours in an attempt to recover the organisation. We may work 16-20 hours and go home for a quick sleep and then return to the incident room. Staff working long hours and then driving home are at risk from car crashes. Secondly if staff work long hours, they may suffer fatigue, make poor decisions and not be actually contributing to the recovery. If long hours are needed, then you need to introduce a shift system and get staff sent home.
- One of my jobs as Emergency Planning Manager at Anglian Water, as soon as a major incident occurred, was to find staff members to fill all the shifts at the incident room. Coming back to the nightclub and the garment fires, do you have mechanisms in place to check that, if there is a disaster your staff are not involved or that the garment factory is not part of your supply chain. Encouraging staff to call in to say they are safe, if there is a disaster in the country or city they are visiting, is good practice for business travelers. If you understand you supply chain, and not all companies do, as the horse in Tesco’s beef burgers has shown recently, then you should know fairly quickly if a garment fire in Pakistan may involve your organisation.
I thought this week we should discuss somewhere a bit hotter than the weather we are experiencing in the UK at the moment. Most of the UK, except where I am based in Glasgow, is covered in thick snow and suffering all the results of snow such as power cuts, inability of some staff to get to work and public transport delays and cancellations.
Last week Al Qaeda linked terrorists mounted an attack on the Amenas Gas plant deep in the Sahara desert close to the border of Libya. About 30 terrorists stormed the plant and took a number of hostages from amongst the multinational staff who were working at the plant. Many staff managed to evade their potential kidnappers by hiding in their offices or accommodation block and then with the help of local staff were able to escape into the desert. The terrorists tried to take the hostages away from the plant back into the desert, but all their vehicles were destroyed in an air strike which killed a nunder of hostages as well as terrorists. Once the plant had been recaptured it was found that 39 hostages and 29 terrorists had been killed. There was some frustration from the British Government as the assault was carried out without warning and that the flow of information from the scene was limited. The surviving hostages have now all returned to their home countries.
There are a number of lessons to be learnt from this attack, which even if we don’t have facilities or staff in high risk areas, us as business continuity can still learn from this.
- The site was a high profile site contributing 10% of Algeria’s gas experts; it’s in a very remote location and was known to have a high population of foreign staff employed there. This attack was likely to have taken several months to plan and so it was not in direct response to the French intervention in next door Mali. It was well know that Al Qaeda had gained a foothold in North Africa and that they are likely to launch attacked on “suitable targets”. In retrospect this was a fairly obvious target for a terrorist attack and often terrorist attacks are on obvious high profile targets rather than some obscure facility in a little known city of town. Terrorist often go back to the same target they have attacked before as happened at the World Trade Centre ware there was a car bomb attack a few year before 9/11. There hadn’t been a previous attack on the Amenas facility but it was a high risk site and the terrorists knew if they attacked it due to the multinational nature of the staff it was going to make headlines round the world. If you are high profile site or a high profile organisation which would make headlines if attacked then you are much more likely to have a terrorist attack than if you are little known organisation and in a less known place.
- Have you practiced and trained your staff what to do in a hostage situation or if terrorist attack your facility. Should they hide and hope that the terrorist don’t find then and then try and escape or should they give themselves up and then hope that they are rescued or returned through negotiation. I heard a very moving account of a camera man who had been held captive in Mogadishu in Somalia and had decided with his fellow captive to escape. He was captured very shortly afterwards. After he had tried to escape his living conditions were much worse and he was treated much worse than he was before. His view was that his escape stood very little chance of succeeding as the locals were hostile and the authorities were likely to give him back to the people who were holding him. His advice was that only try and escape if you are very likely to succeed and if you fail you maybe be killed or your living condition may be a lot worse so it was not worth it. Hostage taking may not just occur in remote gas plants in the desert but may take place in international hotels such as the attack on the Taj Mahal Hotel in 2008.
- The oil companies have good plans in procedures in place for bringing home their staff and keeping informed and looking after the families of those involved in accidents or terrorist attacks. In many cases senior managers personally kept families put to date with what was happing. Does you organisation have plans in place for looking after staff and keeping their families informed after they have been involved in a similar situation?
- The site is too important for the oil companies to put their staff out on a permanent basis so expatriate staff will return. I suspect the security will be a lot better on their return. It is likely then the terrorist will turn to a softer target so the oil companies should be doing their risk assessment and making sure that there were no sites which could be attacked in a similar way.
For me this highlights the importance of risk assessment and making sure you identify your highest risk sites and ‘harden them’ and make them more resilient to prevent an incident happening in the first case of mitigating the effects of it if it occurs.
The marathon started at 0915 when our auditor arrived and finished at 1845 when he left. On Monday PlanB Consulting was due to be audited for recertification to BS25999, which will last until the certification is withdrawn and to be audited against the new business continuity standard ISO22301.
For the weeks before the audit there was much midnight oil burned in PlanB getting ourselves ready for the new ISO22301 certification. Although having already had BS25999 for three years this was a good starter, there was allot more about “standards” and less about business continuity within the new standard and so there was a lot for us to learn new.
Some of the parts of the standard we struggled with. I put out on BCMIX a Linkedin group if anyone understood clause 6.3 of the ISO22301 standard. I got two replies and then didn’t understand the replies! We gave it our best and after demolishing a forrest of paper as we printed out documents for the audit and kept noticing mistakes, we were all set to go monday morning.
In the end we were recommended certification with three minor nonconformities. The “miners” were mainly sentences from the standard which we had missed part of the requirement. As an example was we forgot to put something about the responsibilities for contacting relatives of those involved after an incident. One of the miners was due to me missing three sentences of text and putting something about it within our documentation. I audit our system from an audit sheet rather than the actually standard and found that the key sentences hadn’t made it into my audit sheet so I had missed the requirement.! An exhausting day for us and the auditor but we achieved the recommendation to get the standard.
I find it quite amusing at the moment there is a huge bandwagon of people quoting ISO22301 in their promotion and sales literature, doing webinars and giving training on the standard. I suspect the vast majority have no experience of actually achieving the standard themselves or taking an organisation to the standard. We at PlanB Consulting have.
Details of how we may be able to help you can be found at this link http://www.planbconsulting.co.uk/bscertification/
In December 2012 Charlie attended the “Developing Loggest Skills” course at the Emergency Planning College and on return updated the PlanB’s Loggist Training with the latest thinking and techniques. The new course was delivered to a number of Government Agencies in January achieving excellent feedback! The course was updated in include more on “defensible decision making” and introduced the role of logging for a Senior Manager.
“Really enjoyed” Ron McMeeking, Skills Development Scotland
“It was a very good course and I got a few good ideas to take away and implement” Kirsty Bell, Scottish Enterprise
“Very good workshop!” Joe McCrystal, Skills Development Scotland