How many construction companies have all their bases covered when it comes to risk management? Holly Squire finds out Business continuity planning may be the sensible option, but it may not be optional for very much longer. Tender documents from the public sector increasingly ask businesses to offer evidence of a business continuity plan – and statements from the coalition government have suggested that this will only become more prominent.
The Conservatives had gone so far as to make pre-election statements indicating that businesses will need to be certified to the Business Continuity Standard in order to win Government procurement contracts – a move which came in response to the Pitt review into the 2007 summer floods that devastated thousands of businesses up and down the country.
But then the recession happened, and suddenly business continuity was no longer so high on the agenda.
So beyond fire, flood and theft, what kind of risks should construction companies be considering?
Only a few months ago we watched in horror as terrorists carried out a lethal bomb attack at the Boston Marathon. And the imprisonment earlier this year of 11 extremists from Birmingham – who planned suicide bombings in Britain on a scale larger than the 2005 attacks in London – reminded us of the continuing threat here at home.
Recent research from YouGov, commissioned by experts in counter-terrorism ACTIS, shows that around 80% of construction businesses are unprepared for potential attacks or terrorism. And with more than 300 people convicted of terrorism-related offences in British courts since 2001, including 24 in the last month alone, it’s clear that the threat of terrorism is very real.
“Construction companies pose a unique level of risk,” says Daniel Neubauer, president of ACTIS, “as they build most of the critical infrastructure in the country – which is considered to be the highest risk targets in terms of terrorist threat.”
Neuberger believes that the main reason so many firms are unprepared, is lack of awareness. “Managers are driven by budgets, budgets need to be reduced, and so constant vigilance and screening does not become high priority,” he says. “Many firms can’t be aware of the huge risk that terrorism can become, and are certainly not aware of implications for a business if an attack was to take place.”
“Another big problem for construction firms is the hiring and screening process,” he continues. “Firms often have people coming from different working backgrounds and countries, and if firms aren’t carrying out basic background checks on their staff, this creates a high risk of potential terrorists trying to infiltrate the workforce.”
Colonel Richard Kemp, former commander of British forces in Afghanistan, said he was shocked to discover that in the current climate so few businesses are properly prepared and informed about the real threat of terrorism.
“I remember how companies across the UK were galvanised into action in the aftermath of the July 2005 attacks. But since then, faced with competing demands on their attention and on resources, many business leaders have taken their eye off the ball, “he says.
“Corporate memories may have faded but the terrorist threat has not. Far from it. Dozens of plans to attack in the UK have been disrupted by the police and security service in the years since 2005.”
Kemp says that when it comes to security, hope is not a strategy – with research from AXA, showing that over 80% of UK businesses that face such a major incident never reopen, or go on to close with 18 months.
He adds: “Vital to an effective security strategy and business continuity plan is the recognition that, along with everything else, the terrorist threat is constantly evolving, as extremists develop new tactics and techniques to bypass our security arrangements and hit us in ways we least expect. Keeping ahead of these developments is one of the most challenging aspects of security in the 21st Century.”
The defence and security think tank RUSI also believes that we are not as prepared for attacks as we should be. Professor Michael Clarke, director general of RUSI, said: “Security threats are an ever changing phenomena and difficult to contain.” Clarke also believes that gaps have grown in our business leaders’ understanding of what a threat actually is – leaving the country wide open in terms of potential attacks.
“More needs to be done to give the UK industry the best possible chance to protect themselves and their staff, and gain a competitive edge in the face of terrorist challenges,” he says.
But as well as physical risk, construction firms these days must also consider the impact of cyber threats, with cyber security ranked as one of the top five risks to watch according to the latest Global Risks Report, issued by the World Economic Forum.
Construction firms are particularly at risk, as many cyber attacks directed at businesses intend to take over industrial systems, including taking control of networks that manage critical infrastructure like traffic lights, power grids, water supplies, military networks, telecommunications, and financial systems.
And as firms develop increased reliance on complicated IT systems, IT security is now a serious issue both on and off site.
“Safe site connectivity is now a massive deal”, says Graham McLean, managing director of Link-Connect, the cloud computing provider. “It was not all that long ago that it was considered unlikely that there would be any need for IT connectivity to construction sites and now, it is a prerequisite.”
“In fact without robust IT infrastructure and reliable communications, many projects are in severe risk of delay or outright failure,” McLean adds.
“Cyber attacks are a big problem for construction firms,” says Neubauer. “Think about it: they have all the plans, blueprints, files, all the technical drawings, and if they are stolen, that is a real issue.
Construction companies have data that is very, very sensitive and that needs to be properly protected. Which most of the time it isn’t.”
ACTIS believes that when it comes to construction firms, more needs to be done to increase the awareness and education of decision makers, if businesses are to be appropriately prepared and protected against such threats.
“In these uncertain times, security practitioners, business leaders, and heads of our public sector institutions cannot afford to ignore the risk posed by an increasingly unpredictable threat landscape fuelled by the growth of physical terrorism and cyber hacktivism,” says Neuberger.
So it seems the old adage still rings true: when it comes to business continuity, preparation is key; and whatever the risk, failure to prepare is still very much preparing to fail.
“This is why an individual company’s business continuity plan and risk management procedure can make all the difference,” Neuberger adds. “In times of crisis, they can literally mean the difference between the life and death of a business.”