Lessons from 9/11 The war on Iraq and the perceived threat of retaliation against western targets might be encouraging some financial services organisations to review their approach to Business Continuity. So far, there has been little evidence of this if the views of Business Continuity practitioners, consultants and third party suppliers is anything to go by. In this article, we look at some of the lessons that financial services companies might learn from the attack on the World Trade Center on 11 September 2001. Practising building evacuation saves lives. We all know how difficult it is to get people to take fire drills seriously but Morgan Stanley won widespread praise for the way it got staff out safely. This was down to practice, nothing more, nothing less. Disaster Recovery is only one element of Business Continuity Management. How you handle the initial phase of the emergency (Crisis Management) and how you design your business (Operational Resilience) are at least as important. See figure 1. Leadership is crucial. If you can get the right people together in a disaster (either face-to-face or electronically) and can make the important decisions, most things are possible. Leadership is also crucial before you have the disaster. Most Business Continuity programmes fail because the ownership lies too far down the organisation with people who don't understand the business and cannot engage with staff at all levels. Remember, the first rule of business is to stay in business as, otherwise, you cannot employ people, pay yourself, satisfy your customers or make a return on investment for your shareholders. Communication is vital. In a disaster, you need to let your staff, your staff's family and friends, your customers, suppliers and regulators know what is happening. You should decide in advance who will be responsible for spreading the message and ensure it is consistent (and truthful). After staff safety and well-being, the next thing everyone wants to hear is when they will be paid, even if they have to wait a bit. Plans are irrelevant. People either know what to do, or they don't. In a disaster, they are not going to wade through some lengthy document to find out what to do. They haven't the time. In any case, the plan will never have been designed to match the reality of the situation. IT resilience must be built in. One of the key lessons of 9/11 was that the traditional main site/back-up site approach to minimising IT disruption is no longer valid in many cases. It's too slow and you can't be certain it will work. Even where data was copied over to an alternate site on a regular basis - for example, overnight - many companies found that their ability to restore service from that location compromised by out-of-date software, reduced systems capacity, inadequate telecommunications and the inability to interface with customers, counterparties and clearing and settlement organisations. Critical applications need to be designed from the ground up to run from multiple locations in real, or near real-time. Manual processing is no longer viable. Volumes are too high. Processes have been automated. The staff who knew how to do things manually have long gone or moved on to other things. And, any way, mistakes from mis-keying etc. are now too expensive. It's better to wait and do it properly. Focus on effects, rather than causes. You will never identify the next disaster. Even if you do, nobody will believe you. A major US financial group is reliably reported to have abandoned a Crisis Management exercise in July 2001 - three months before the tragic events at the World Trade Center - as the board was unwilling to role play the destruction of part of Wall Street on the grounds that it was never going to happen. There are a limited number of effects - loss of staff, loss of premises, computer failure, disruption to phones, etc - but an almost infinite number of causes. It therefore makes sense to focus one's planning on the latter, rather than the former. Relocate. The historic reasons for being in tall City-centre locations - the ability to have lunch with customers - have largely gone. Given today's technologies and working practices, is there any reason to have everyone working in one downtown building. Some companies, such as Morgan Stanley, have made a point of separating people and IT in their key operating centres. That way, if one is destroyed, they haven't lost everything. Many tasks can be done remotely. In the wake of 9/11, some US financial institutions were managing everything from payments and receipts, hedging and funding, to network routing and management from the UK. Set clear business priorities. The US regulators have suggested that for Banks these should be processing large value payments; clearing and settling material transactions; arranging funding and collateral; managing, reconciling and communicating your own and customer positions; safeguarding assets; and performing support functions integral to the above. Each organisation needs to define its own priorities - even if it then modifies them in a disaster to take account of the real situation. Conduct due diligence on your dependencies. Many financial organisations have outsourced key processes or IT services - often for cost reasons - without establishing who is responsible for providing the process or service in a disaster. Many outsourcing contracts include force majeure clauses which limit the supplier's liability in a disaster. You should understand the impact of such a disaster on your own service levels and find ways of mitigating the risk. Removing force majeure clauses might be a useful start but you actually need to ensure that either you or the supplier has tested workarounds in place should a disaster occur. Check your recovery vendor. If you subscribe to a third party recovery service, you need to understand who else subscribes to the same service and what happens if they have a disaster at the same time as you. Is it first come, first served or "equitable share"? How will you manage with a reduced allocation of seats, for example? You should also understand how quickly you will get access to the service. Counselling does not always work. A study of victims of 9/11 by Columbia University, reported in the Sunday Times, concluded that counselling was "an enormous waste of money" and that there was "little evidence that getting people to open up actually helps them". Separate studies in the UK - of soldiers who served in Bosnia - and Sweden have come to similar conclusions. Nick Simms is a Director of Cornwood Risk Management Ltd, a consultancy specialising in Business Continuity Management in the financial services sector. He is a Fellow of the Business Continuity Institute and recognised as the pioneer of Dealing Room Disaster Recovery. He can be contacted on 020 8731 6510 or at [email protected] The costs of UK conversion to the euro I recently co-authored a paper looking into the likely costs to UK companies of euro conversion. It has particular relevance for financial services firms, as these will be amongst the most heavily impacted by euro conversion. This article summarises the findings. INTRODUCTION Nobody can be sure when (or even if) the UK will join Economic and Monetary Union (EMU), but as long as it remains a possibility, prudent firms will have a plan for it. A proper understanding of the costs of conversion is essential so that firms can plan properly. There is a cost involved in effecting the transition to the euro and firms should be building this cost into their forward plans, if only as a contingency. Indeed, if you share the belief of many euro-watchers, that HM Government will hold the euro referendum next year, with entry in 2004, you should be building at least some of these costs into your budgetary planning for financial year 2003/4. WHY IS THERE SUCH SILENCE ON THE LIKELY COSTS? Shortly before we published our paper there was a euro seminar in London. Various euro-luminaries on the panel were asked, by a member of the audience, about the expected costs. The questioner was evidently surprised when they failed to give him any meaningful response. We felt the reasons for this lack of information were probably these: - There are practical difficulties with obtaining reliable data from the first wave. The data on costs were not fully collated in such a way as to allow individual organisations to identify the costs that would be directly applicable to them. Whilst some costs (e.g. IT conversion) were recorded in detail, other costs, such as internal and external training and communication, were often incorporated into 'business as usual'. - The euro supporters see political disadvantages in collating retrospective financial statistics about the costs of the first wave conversion, fearing that these will be used to support the 'no' campaign. Our belief, however, was that British industry needs a good idea as to the likely costs involved in conversion and of a realistic breakdown of that spend, and that this need overrides the above objections. If a referendum is called, the timetable of events will be extremely tight and one of the greatest risks facing both the private and public sectors in the UK is that they are not yet taking the topic seriously enough. HOW MUCH SHOULD MY FIRM EXPECT TO SPEND? As in so many things, there is no substitute for proper planning. We have drawn out some guidelines, based on first-wave experience but taking due account of the situation in the UK. These must be seen as indications only. The only way for any organisation to understand the costs and timescales of the euro is to develop a proper 'euro action plan', a process which comprises three stages: - Understand in detail (i.e. at a business process level) the impacts of the euro on your firm, both strategically (opportunities and threats) and operationally. - Develop, on a process-by-process basis, a detailed change plan that exploits these opportunities and protects against these threats. - Calculate the costs and timescales of these changes and document them into a plan. Set these plans against your view of the likely entry timetable and then decide what investment to make and when. Only when this euro action plan has been completed can a firm be considered ready to face the possibility of UK participation in EMU. BREAKING THE PLANNING BLOCK It is well known that prudent firms should plan for euro entry, but many are still not fully engaged in this process. We felt that these organisations are not planning for the euro because they are stuck in a planning block. With no clear idea of the costs of euro conversion it is hard to get a commitment to plan. With no plan it is impossible to estimate accurately the costs of conversion. We set out to break that cycle by giving some figures that can be used to make an initial estimate. This should enable managers to see the likely scale of the problem, and thus to get a budget agreed for some serious planning, along the lines we have indicated above. SOME GUIDELINES FOR BUSINESS PLANNING We looked at available data and what has already been said, by reputable sources, about the costs of euro conversion. These costs are indicative; it must be recognised that the complexity of the task for any particular organisation is determined by: - Getting ownership by top-level management. - The degree of reliance on external parties for services. - The effectiveness and maturity of the existing communications infrastructure within the company, towards both customers and staff. - The ability to manage large-scale enterprise-wide change programmes. - The structure and flexibility of existing IT systems. To start with we considered the overall costs to the UK of joining the euro. The European Central Bank recently calculated that the twelve first-wave countries spent between 0.3% and 0.8% of annual GDP on euro conversion. We had no reason to dispute these figures. If we assume that the UK experience would also fall within this range we get a national cost range of £3bn to £8bn. Considering individual firms, we know that the greatest costs will be borne by those who interact with customers on a retail level, primarily the high-street stores and the banks. These costs will be spent on keeping their customers informed on the euro and on their firm plans for conversion. Evidence from Ireland, which is perhaps the most culturally equivalent source for UK purposes, suggests that a UK national retailing chain or clearing bank could expect to spend in the order of £100m. Finally we had seen credible research which suggested that the cost to an average firm (whatever that may be) would be around 0.75% of annual turnover. As a rule of thumb, these costs should be allocated in three equal portions for the financial years 2003/4, 2004/5 and 2005/6. WHERE DOES THE MONEY GO? We found evidence that the major costs break down roughly as follows: IT Systems adaptation 38% Communications (both internal and to customers and suppliers) 21% Staff training 10% Project management 8% Legal changes 7% Strategic advice 5% Other firm consultancy 11% Total 100% TOP TIPS FOR EURO READINESS Given the political uncertainties surrounding UK euro entry, few firms will justify the full spend on euro preparations at this time. But, as with any other potential impacting event, there is no excuse for ignoring the issue. We advise all firms to do some basic preparation, to secure their position for the future. In particular: Do's Don'ts Do ensure that senior management are fully aware of the euro issues - the euro may require radical firm changes and these cannot be achieved without senior management commitment. Don't underestimate the impact of the euro and the extent of the changes that would be needed - develop a euro action plan, as described above. Do secure your resources early - experienced resources capable of advising on the euro are few and the demand will exceed supply. Don't over-engineer the solution - take practical and pragmatic advice and avoid grandiose schemes. Do formulate euro as an enterprise-wide programme with appropriately senior management - the impacts will be wide ranging and everyone needs to be involved. Don't leave it until the last minute - in first-wave countries companies often found their options were seriously limited by lack of time. CONCLUSIONS There is a need to draw up appropriate plans, such that, if a decision is taken to join, firms can move comfortably into a pre-determined action plan, leading in turn to a smooth transition. If you want a copy of the full paper (in PDF format) please drop me an email and I will be happy to send one. And one final thought regarding the current "will we, won't we" referendum debate. The Guardian, under the headline "Banks bemoan euro dither" recently wrote: "British-based banks want an end to uncertainty over membership of the single currency" because of the planning difficulties it was causing. I quite agree. The sooner the referendum happens the better it will be, not just for banks, but for British businesses as a whole. ABOUT THE AUTHOR John Turner is Solving's principal euro consultant, with over 23 years' experience in business and technology consultancy in the financial services industry. He specialises in providing business and systems strategy assistance and has a particular interest in the euro, having lead nearly thirty assignments with organisations varying from small departments to major multinational banks. He speaks at conferences discussing issues related to the financial services industry and is often quoted in the press and industry journals.