On 11 September so much was destroyed that business is still trying to pick up the pieces. It is clear now that the way companies used to work has gone forever and FDs - with their responsibilities for risk management, business continuity and insurance - are in the thick of the rebuilding.
Everywhere, after 11 September, the same impossible question: what now? To answer it, we need to know what is temporary – caused by the economic downturn that began before the attacks but which will eventually reverse – and what is permanent. Sometimes the difference isn’t clear. For example, does the collapse in business among flag-carrier airlines, but the comparative buoyancy of the budget fliers, represent a paradigm shift in the market?
This confusion is likely to place a double strain on FDs. Most will be under intense cost pressure as the downturn bites, markets shrink and competition gets tougher. But they will also need to play a more proactive role in the risk management of their organisations.
Risk management responsibility
In this sense, risk is defined in its broadest sense. Remember that the Turnbull Committee Guidance for Directors on Internal Controls placed responsibility for risk management firmly in the FD’s domain – so this could be a good time to revisit Nigel Turnbull’s report which set out a best practice framework for business risk management based on assessing and controlling significant risks.
What does seem important is that, in future, business will operate in a world in which threats will appear from unexpected areas. Not surprisingly, security is the first issue boards have addressed. Ian Johnson, a leading security consultant, saw enquiries double overnight after the World Trade Center attack. ‘The big one was control of access to buildings – x-raying baggage and body searching,’ says Johnson. ‘We’ve also been asked about mail screening and bomb blast protection.’ The events in New York have also made companies aware of risks inherent in their location. ‘If you’re close to a significant building it could increase your risk,’ he says.
Location will become more contentious
Richard Pursey, managing director of Global Continuity, a leading UK player in business continuity, agrees that location will become more contentious. Within hours of the attacks, six City companies had called his firm wanting to move some staff out of London. ‘Because of the scale of the disaster, they didn’t want all their eggs in one basket,’ he says.
Two points arise. First, locating all staff in one prestige office block may not seem as wise as it did. That’s especially the case if the building also includes staff from what you regard as a higher risk company. Secondly, as Pursey points out: ‘Companies are revisiting why they are even based in these areas anyway. I have spoken to two finance houses – one in Brussels, one in London – which are questioning whether they should even be in these city centres any more. In some ways they don’t need to be – everything is electronic.’
Whether firms move or not, 11 September means they need to pay much more attention both to staff safety and business continuity. That is an issue which FDs may have wanted to look into even without an increased terrorist threat. As the Centre for Corporate Accountability points out, 3,759 people have been killed and 205,000 seriously injured at their place of work in the past 10 years. And the public is becoming restless about the seeming failure of directors to accept responsibility for tragedies where there is apparent negligence.
Something that might never happen
The problem is that many companies are in a panic about something that will never happen to them – a terrorist attack – when there are a host of seemingly minor matters, such as office or factory fires, which are more likely to do damage. Ian Waldram, immediate past president of the Institution of Occupational Safety and Health, says that any company which hasn’t carried out a safety survey of its premises should do so immediately.
Even if all staff safety issues are covered, there is still a danger that a company could cease to function after a major incident – whether accident or attack. Mercifully, the UK has known nothing on the scale of the World Trade Centre, but the IRA bomb which devastated the centre of Manchester in 1996 seriously disrupted 452 companies. Within six months, 250 were out of business for good.
In the past few years, many companies – especially in financial services – have put business continuity plans in place. The question FDs must now address is whether those plans are robust enough to cope with the scale of any emergency which might occur. Soon after 11 September, Guardian iT, a disaster recovery services specialist, was showing journalists over its emergency high-tech relocation centre in East India Dock. But if an attack can disrupt an area the size of south Manhattan, should disaster recovery sites be situated in such a high-risk commercial district?
Taking a fresh look at risks
John Sharp, chief executive of the Business Continuity Institute, says companies should take a fresh look at risks. ‘You should look at all the processes you go through in order to deliver a product or service,’ he says. ‘IBM has a concept of going from quote to cash – you need to minimise the risks at each step.’
Sharp points out that insurance by itself is an inadequate response to risk management. ‘You may be able to insure against your factory burning down, but insurance doesn’t keep your customers happy and supplied with products,’ he says. Indeed, research by IDC suggests insurance only covers between 30% and 60% of the costs of a disaster. Exclusions and excesses may reduce even that figure.
Most businesses will be facing hefty premium rises across their business insurance portfolios during the coming year. Premiums were already set to rise to help insurers recover losses from last year’s floods and other disasters. Industry insiders suggest 11 September could add another 20% to an average company’s premiums; analysts say the cost to insurers could well top £10bn. But all these figures are estimates until complex and protracted legal action over some liabilities has run its course.
Finding an insurer
What will make life more difficult is that many listed companies are only prepared to insure with firms which have balance sheets at least as strong as their own. But, as David Gamble, executive director of the Association of Insurance and Risk Managers in Industry and Commerce, points out, the number of insurers with AAA and AA ratings is falling. So there won’t be so much choice in the insurance market for those FDs who regard the balance sheet test as critical. ‘The scarcity means that the insuring companies can put their rates up across the board,’ says Gamble.
The one bright spot for UK business is that insurance for terrorist acts will still be available through the Pool Re scheme at affordable rates. The scheme was set up with government encouragement in the early nineties when commercial insurers refused to provide cover in the wake of a string of IRA attacks. Few other countries have a similar approach.
The issue of money-laundering
Another financial issue which may now figure higher on the FD’s agenda is money laundering. This will certainly be tougher for banks and others in financial services to deal with. But the Financial Action Task Force, the OECD body which coordinates the fight against money laundering, is determined to crack down harder on terrorist financing.
The FATF held a special plenary session in Washington at the end of October. It agreed a raft of measures which will make it difficult for any government to stand aside from money laundering controls in the future. The UK government has been doing its bit and is egged on by the knowledge that catching dirty money aids the public finances. It is likely to implement new measures enthusiastically.
FDs who blithely assume their firms are immune from this kind of unpleasantness could be in for a shock. Nigel Morris-Cotterill, who runs Silkscreen Consulting, a specialist operation which advises on money laundering, says: ‘It is very common for criminals to use some of the money which they have laundered to invest in a legitimate business.’ Firms harbouring such investments could be guilty even if they fail to report suspicions that the money was introduced for laundering purposes.
With the international situation continuing to develop, there are likely to be further unpredictable consequences. For example, a report from IT services company Keane predicts a downturn in outsourcing because contractors will not want to take on staff. But the Management Consultancies Association figures for the first three-quarters of 2001 saw IT outsourcing growing at a very healthy 25.4%.
What most FDs can be fairly sure about is that issues such as risk, security and good governance will be right at the heart of their concerns for the next few months, and probably years. The defiant message from world leaders after 11 September was ‘business as usual’. That business will continue is a certainty – but it is never going to be ‘as usual’ again.