Home>Security>Cyber Crime>The show must go on
Home>Facilities>Data Centres>The show must go on
Home>Security>Terrorism>The show must go on

The show must go on

18 April 2017

Tom Powell provides an insight into how Manchester City Council has implemented a business continuity plan to prepare for a possible catastrophe

ALTHOUGH I am not responsible for civil contingency across Manchester, I do lead our business-continuity response, which plays a vital role in our civil-contingency agenda. The 1948 civil-contingency legislation guided the UK for decades, but it was not suitable for a modern-day catastrophe situation, hence the introduction of the Civil Contingencies Act 2004. This legislation now covers statutory duties, such as assessing risks, emergency planning, business-continuity planning, warn and inform, cooperating and sharing of information. It also defined category 1 (blue-light emergency services) and category 2 (the Health and Safety Executive, transport and utility companies, etc.) responders for the first time. 

From a local-authority perspective, the Act has given us a responsibility for business continuity and business resilience in schools and businesses in the wider community. It’s a huge ask to support a city of half a million people with business-continuity plans, considering our diminishing resources. Our responsibilities include civic leadership around civil contingencies, which means we lead by consent and direct, if needed, but critically, it’s about making the best use of our skills. For example, Manchester City Council people may not be the most useful to arrive first at the scene when a major incident has taken place, so in such situations it’s key that we work closely with the emergency services to help coordinate the response and provide leadership. 

Incident response

We do have a response mechanism, which includes providing forward incident officers and a commander-control structure. This ensures that, in the event of a major incident, we have eyes on the ground and colleagues in the community on the scene, whether it is a gas explosion in a house, or a flooding incident. Our forward incident officers are often first on the scene, which allows us to provide quick and effective response and communication to coordinate an incident. 

The Council has officers on call 24/7 to coordinate requests for support for such incidents as:

  • Severe weather (snow, extreme rainfall, heatwave);
  • Flooding;
  • Fires and explosions (industrial accidents);
  • Human diseases (flu pandemic);
  • Animal diseases (foot-and-mouth disease/avian influenza);
  • Accidents (train or plane crash, fires, gas explosions); and
  • Terrorist attacks.

Our external command structure is led by a multi-agency strategic coordinating group, which sits above the multi-agency coordinating group and forward control. Our internal command structure is headed by the incident management team, which oversees the emergency control centre and delivery of services. In terms of civil contingencies, we need to provide means to evacuate and care for people, overnight accommodation, humanitarian assistance, emergency road closures and diversions, provision of emergency transport, emergency mortuaries, site clearance and protection from dangerous buildings, and incidents within schools. 

Learning from disasters

We’ve learned a lot from the Manchester bombing in 1996, especially in terms of recovery, which isn’t just about infrastructure but also the psychological and economic impacts of a major incident. This area is led by our recovery working group, which aims to address the enduring consequences, such as damage to residential properties/security issues and how the population mentally and emotionally comes to terms with deaths or displacement caused by the incident. There can also be major disruption to everyday life, with possible suspension of transport links or utilities and, of course, pollution or contamination of the affected area. All of this has a direct impact on economic and business recovery as, in the vast majority of cases following a major incident, businesses do not re-open and that directly affects employment levels and the economy.

Our civil-contingency response is to ‘risk plan do check act’ (RPDCA), which means we determine what the risks are and plan around them. We can then prepare to try to prevent these incidents from taking place, but that’s not always possible. We can, however, prepare to mitigate risks by, for example, installing flood defences, or not building key council buildings by rivers or flood plains – a lesson we’ve learned the hard way! Checking plans by running through them is essential to business-continuity planning. It can be laborious but one of our key successes in Manchester has been checking our processes to ensure they are fit for purpose. The final stage is to be prepared to act in the event of a major incident, which is always the worst-case scenario. But the correct preparation will help us respond quickly, decisively and effectively. 

Risk assessment is a critical first step for us, and the starting point is to refer to the National Risk Register, which is in place to increase awareness of the kinds of risks the UK faces. It encourages individuals and organisations to think about their own preparedness. The register also includes details of what the government and emergency services are doing to prepare for emergencies. The highest priorities for risk in the UK are:

  • Terrorist and other malicious attacks;
  • Pandemic influenza;
  • Coastal flooding;
  • Widespread electricity failure;
  • Major transport accidents;
  • Major industrial accidents;
  • Disruptive industrial action; and
  • Severe weather.

Cyber attacks

It’s hard to plan for all eventualities but we feel we have a robust system in place for Manchester. The most recent threat to emerge is cyber-crime. According to the Association of British Insurers, 81 per cent of large businesses and 60 per cent of small businesses suffered a cyber-security breach in 2014. 

In 2009, Manchester City Council fell victim to a cyber-attack, after a USB stick containing a virus was plugged into one of our machines. This infected our whole server and took our computer systems out of commission for eight weeks. This was a huge shock to us and, in the interim period, when we didn’t have IT systems, we ended up having to write reports by hand. It felt like we had gone back in time! This is one of the reasons why we take cyber-attacks so seriously. To face the public when you haven’t got technology is incredibly tough; at one point, we had to provide benefit payments from a cheque-book at an emergency meeting point on the town-hall steps. 

From a resilience point of view, if you take down our systems we are blind. But the threat is ever increasing and it’s not helped when we find that 25 per cent of people open spam emails and click on the link inside them. So, it’s not just about the systems it’s about people and trying to educate them about the danger of opening, or engaging with potentially dangerous emails or web links. You need to implement a clear crisis plan in case something goes wrong, which, in simplest terms, means people need to know who to contact in your organisation in the event of a problem, or they have suspicions about potential threats. 

Emergency-response plan

Our emergency-response plan is very blunt: it’s a single side of A4 paper and it clearly states that I am the only person who can implement the plan. In the event that there’s a need for a city-centre evacuation, this will prove challenging despite best-laid plans. We have a multi-agency evacuation plan that is designed as a practical tool for tactical commanders. It provides options for commanders to consider that are dependent on the circumstances of the incident, as it is likely to be activated in conjunction with a number of other multi-agency plans (e.g. mass fatalities). The key decision for many organisations will be evacuation or invacuation (shelter in-situ), and consideration must be given to what options are most appropriate. 

Maintaining strong leadership in a crisis is key and this includes an ability to listen, adapt and communicate. There also needs to be trust in the people around you who are helping to implement the response. Making sure you have the right person leading the response is, perhaps, the single most important factor. It’s not as simple as designating the highest-ranking person in the organisation to this role. It requires a person with a specialised skills set. We have been able to identify the correct person(s) for different response roles by continually testing our response plans. 

Testing your plans is key; you need to ensure they comply with legislation and that you have buy-in from your staff, including senior management. The best opportunity to educate staff and responders on how to deal effectively with a crisis situation is while you are testing these plans. Testing also identifies where you may be falling short in your response. But these factors can only be accurately gauged if the tests are carried out properly and people take them seriously. Testing doesn’t just scrutinise plans but also human behaviour, which is not something you can necessarily predict until a crisis happens. Understanding how people might behave will allow you to prepare for their reactions in the event of a real emergency. 

Tom Powell is head of audit and risk management at Manchester City Council