Are You Ready?
Three years after 9/11, CEOs have made scant progress in keeping their companies safe.
August 1 2004 by Chief Executive
On Sunday, Aug. 1, the financial services industry was caught in terrorist crosshairs again. Nearly three years after thousands of money-center workers were killed in the attacks on the World Trade Center, Homeland Security Chief Tom Ridge announced that Al Qaeda was plotting to blow up major markets, banks and international lending organizations with truck and car bombs.
The next day, the CEO of one of the nation’s top financial services firms, who had mostly kept his distance from security issues, called a flurry of early morning meetings with his experts in risk management and disaster planning. Clearly agitated by the latest threats, he told his staff that a plan had to be designed to protect employees and continue to serve customers. Insiders recalled that the sessions resembled meetings they had right after Sept. 11, 2001.
What’s going to happen this time? “Not much, I fear,” confided one person who attended the meeting. “It was panic. He didn’t even give a firm date for when he wanted to see draft proposals. And besides, isn’t it a little late, when the danger is at your door, to begin to figure out how to defeat it?”
Many CEOs are facing that question now. To say nothing of the tragic loss of lives, September 11 was an expensive lesson for corporations with huge losses from disruptions that affected data centers, supply chains, communications links and numerous other critical operations. But despite these costs, few CEOs have followed through on promises to be fully ready the next time a terrorist attack occurs. In general, top executives put a greater premium on meeting financial performance benchmarks than on decreasing risk. Corporate security chiefs, viewing their jobs in that prism or untrained in more sophisticated risk-management techniques, focus mostly on activities that recoup lost money, such as thwarting theft or embezzlement, according to security experts at major companies and leading security consultants.
“It’s the human instinct of denial as the memory of an incident fades,” says Jack Devine, a 32-year veteran of the Central Intelligence Agency and president of The Arkin Group, an international crisis-management firm. “The recent spike in terrorist threats has elevated concern again. But before that, security planning was clearly on the downside of anyone’s interest. Most companies are not much more prepared today than they were before 9/11.”
Outsourcing Makes Security Elusive
In some ways, CEOs are even less prepared because of how they’ve been managing their businesses these past three years. An emphasis on outsourcing many functions to distant lands has made it more difficult to fully understand the nature of threats€¦quot;or what would happen to U.S. operations if, for example, a call center or production site were to be wiped out in India.
The intense focus on globalizing supply chains and making them increasingly time-sensitive has introduced new complexities into guaranteeing security. Purchasing from suppliers in potential trouble spots, such as part of Asia and South America, has increased significantly in the past few years as companies seek less expensive products to feed just-in-time inventory systems. In meeting these goals, companies tend to balance only cost and service as they try to get products of a specific quality within a certain amount of time for the least amount of money.
But in making this calculation, CEOs typically fail to consider the expense of an unexpected supplier plant shutdown or a transport disruption that makes it impossible to get materials shipped. Consequently, many critical supply chains are extremely vulnerable, say security experts.
“A lot of companies have backed off doing anything about protecting their supply chains, because there hasn’t been a significant attack in three years,” says Joe Martha, a vice president for supply chain practice at Mercer Management Consulting. “But this is unrealistic. There could be a disruption any day and CEOs have to ask themselves if one day of lost production€¦quot;and it’s likely they’ll lose more than that€¦quot;is worth not keeping three, four or five days of extra inventory.”
The general lack of preparedness was writ large by an incident that occurred coincidentally on the same day as the disclosure of new security threats. Hundreds of American Airlines and US Airways planes were grounded when a computer glitch, apparently caused by an employee’s mistyped command, scrambled a flight-operations network managed by Electronic Data Systems. As badly as the airlines were harmed by the September 11th attack, security experts found it alarming that carriers still lacked basic backup systems to thwart a virus placed by a terrorist (or even a disgruntled worker) and keep their planes in the air.
A recent survey illustrates well CEO sentiments about security. In late 2003, PricewaterhouseCoopers conducted nearly 1,400 interviews with CEOs worldwide. Fifty-nine percent said that overregulation is either a significant or big threat to their businesses’ growth prospects. Only 40 percent felt that global terrorism represented a meaningful threat. Moreover, about 70 percent of CEOs were confident that their companies had “formal enterprisewide” risk-assessment programs and responses in place. Put another way, CEOs generally view Securities and Exchange Commission Chairman William Donaldson as more dangerous than Osama bin Laden.
But another set of responses refutes the logic of this conclusion, says Joel Kurtzman, the PricewaterhouseCoopers partner who led the study: When the CEOs were asked if they have the information they need to manage risk across their organizations, only 26 percent strongly agreed. A mere 23 percent said that a common terminology and a set of standards exist at their companies to tackle risk. “What this says is that CEOs have the same false sense of security as everyone else,” says Kurtzman. “They like to believe that there are no real external threats to their organizations, because they have shielded themselves from these threats. But when prodded to describe the protections that they have in place, they have to admit, not many.”
This attitude is particularly surprising because of the cost of an unexpected incident, whether a terrorist attack, a natural disaster, an accident, an environmental foul-up or any other unforeseen event. Some industries€¦quot;airlines, financial services and manufacturing, to name a few€¦quot;still have not fully rebounded from 9/11. And based on figures that emerged during the West Coast dock workers’ strike in 2002, if a terrorist used a commercial ship or container to detonate biological or chemical weapons at U.S. ports, which are still virtually unprotected, sea lanes could be closed for upwards of 90 days at a cost of more than $50 billion to American companies, according to Naval security expert Rear Admiral James Miller. Even a relatively small event, an overnight blackout in a 100-square-mile area where a consumer goods company has its main regional warehouse could take a percent or two of sales out of a quarter’s results.
Some industries, by their nature, are having trouble preparing for disaster. Sources in the telecom industry, for example, say that, although the providers are taking threats seriously and will set up multiple redundant data systems for corporate customers willing to pay for them, there is simply no real way to bomb-proof telecom lines.
Of all major industries, the financial services sector appears to have done the most to prepare. Many top Wall Street firms have set up “mirror” facilities that allow them to ship data from their primary operating centers to the backup facility in real time, or very close to it. But those mirror facilities are often located within 30 miles of the primary data processing sites. Morgan Stanley, for example, has a site in Westchester, and Citigroup’s backup site is also within a 30-mile radius. That simply may be too close. And no one knows how those backup sites will operate if the firm’s entire IT staff is eliminated or is unable to reach the backup site.
Even insurance companies aren’t sure how to measure this kind of risk. In general, underwriters insure only about 25 percent or less of a company’s worldwide risk. A great deal of extended liability, such as the potential loss of key materials after a supplier’s operations are shut down by an attack, is usually not covered, indicating that insurers are still uncomfortable with measures companies are taking to secure their operations. In a narrow number of cases, though, for companies that have gotten serious about risk management, setting up protections for supply chains and other overseas operations, insurers are more willing to underwrite a greater amount of coverage. They work with companies to produce hedging programs in which exposure is shared among underwriters, the companies themselves and investments in derivatives and other financial instruments.
That leaves CEOs to figure out just how to get serious. One of the most important pieces of being ready for an attack, say experts, is careful examination of the most critical aspects of a company’s activities, including extended relationships with third-party suppliers and business partners, to locate the weakest links. For example, after 9/11, Ford Motor was forced to idle five plants and production dropped by 13 percent in the fourth quarter of 2001 because its Canadian-manufactured engine parts sat for days on trucks trying to cross the U.S. border. Ignoring the dangers of this sole-source arrangement, the automaker had failed to contract beforehand with an alternate supplier in the lower 48 states.
Some companies that learned costly lessons three years ago have made changes to guard against future incidents. Toyota, a company that prides itself on efficiency, was forced to slow down production of its popular Sequoia SUVs in its Princeton, Ind., factory after 9/11. That’s because it only belatedly discovered that a key supplier, Continental Teves, couldn’t deliver parts because it was overly reliant on another German company for steering sensors, which were grounded in Europe by the moratorium on flights.
Since then, Toyota, among the few companies in the past few years to take the broadest view of security€¦quot;also called extended enterprise risk management or resilience planning€¦quot;has demanded that each of its top suppliers design a security plan that offers alternative arrangements in case a primary source is disrupted. Continental Teves, a German company with U.S. headquarters in Auburn Hills, Mich., reacted by signing agreements with shippers to carry German parts by boat to North America if airplanes are grounded. And the company now maintains a two-week, rather than a one-week, inventory of sensors.
Maintaining “buffer” stock, or extra inventory on hand, during dangerous periods or when key suppliers are located in potential tinderboxes is one way to prepare for anything that might come along. Just-in-time inventory systems become just-in-case networks. Equally important is setting up secondary sources for critical parts that can be tapped if a supplier or a distribution channel is shut down. And companies should continually assess their supply chain to patch the weakest spots, paying greatest attention to materials and supplies earmarked for their best performers.
“In general, companies whose supply chains survive an unexpected incident intact have looked closely at their business units beforehand and determined that, for instance, 62 percent of their revenue is generated from these three products,” says Gary Lynch, president of management consultantcy Xeno, who advises executives at ADP, Pepsi and Citicorp, among others, on risk strategies. “And they’ve designed preventive plans to protect those three products at all costs.”
Cost vs. Security
Despite the evidence that risk can be managed, many CEOs feel they are handcuffed by fiscal realities and are unable to give risk management a lot of attention. As the PwC survey showed, dealing with Sarbanes-Oxley is very much on the minds of CEOs€¦quot;and the costs of it are frequently quite high. Some of the larger companies have earmarked anywhere from $10 million to $100 million annually over the next few years to meet the law’s mandate that public companies certify to having systems in place to unearth and protect against financial fraud, according to PwC’s Kurtzman. For businesses struggling to become profitable again, such as the airlines, or saddled with the slimmest of profit margins, like automakers, consumer goods companies and retailers, an additional $10 million or more to pay for extensive and ongoing protection from external dangers is beyond the budget.
What’s more, for many CEOs, the goal of increasing shareholder value often collides with the notion of improving their companies’ ability to withstand a business disruption. For example, the growing and risky practice of relying on single sources for critical components or products may be bad risk management but good business, because these exclusive partnerships with favored suppliers usually nail down the best prices in the marketplace. “There’s tension in the C-level ranks to squeeze a tremendous amount of cost out of their systems,” says Jeff Holmes, executive vice president at Manugistics, a software company that has helped develop supply-chain management programs for dozens of corporations, including BMW, Ford, Deere and Continental Airlines. “In doing that, companies have become more and more dependent on overseas or independent suppliers and partners for sole sourcing and have not created alternative contingency purchasing plans.”
As a result of cost concerns, most security programs tend to be overweighted on plant and employee protection€¦quot;in essence, the last but perhaps least expensive line of defense. Since 9/11, Kroll, one of the world’s largest risk-assessment firms, has experienced huge growth in physical security jobs. The projects include erecting hardened barriers around buildings, starting employee identification systems, creating contingency plans for evacuation and training bodyguards for top executives, according to Chris Gniet, a vice president at the company.
Also playing into the lack of high-level risk-management initiatives at companies are the kind of security advisers CEOs have chosen to rely upon. In many instances, CEOs have responded to 9/11 by hiring chief security officers with impressive rÃ¦#169;sumÃ¦#169;s€¦quot;former Secret Service or FBI agents€¦quot;but very little strategic expertise. Their experience stems primarily from flanking a perimeter to protect ranking officials from harm or investigating crimes. When CEOs turn over the task of protecting their companies to these specialists, they get good tactical results, but nothing in the way of safeguarding an extended supply chain or a thorough analysis of hiring practices at a partner’s overseas factory.
In fact, the training that security officers have traditionally had has become so irrelevant to what companies facing international disruption actually need that one of the leading risk-management certification groups recently changed its curriculum to focus on producing executives capable of handling strategic aspects of security, data recovery and disaster planning. “Starting in the past year, the curriculum has become more sophisticated,” says Thomas Mawson, executive director of DRI International, which has certified nearly 3,000 security professionals. “Courseware has been rewritten to teach business continuity planning and execution to groom people for chief risk officer positions that can be of value to the CEO.”
But even with the right advisers, security experts say, ultimately it is up to the CEO to make business continuity and risk management a priority and justifying the costs. If there is one lesson that CEOs should have taken away from 9/11, says former CIA official Devine, is that if you wait for something to happen, it will. “The CEO who gets deeply involved in risk management is going to be very, very happy some day that he did,” says Devine. “It’s that or face a chaotic future.”