After Sept. 11, 2001, and the March 11, 2004, Madrid train bombings, many experts believed that it was only a matter of time before another U.S. ally - the United Kingdom - would also be hit by a fundamentalist terrorist attack. Unfortunately, on July 7, the years of expectation became a reality. It was an event for which London's financial services industry has been preparing ever since the two planes crashed into the World Trade Center. Yet, for its tragic loss of life, the impact, and subsequent fallout, on London's financial sector was relatively limited. In the end, very few institutions or market participants had to invoke their emergency plans.
For instance, despite having one of its buildings evacuated, due to its proximity to Liverpool Street station near one of the bomb sites, Tullett Liberty didn't need to put any of its emergency plans into action, according to Geoff Chapman, the firm's CIO. "All the buildings kept working, the power was still going, the systems were still running," he says. "We were able to clear and settle trades, so it wasn't a factor."
However, with the London transit system shut down and police blocking off certain areas of the city, simply getting to the office became a problem for some firms' employees. One financial organization that did implement its emergency plan had to do so when a police cordon was put up around its building. "We weren't going to be getting back in quickly, so we invoked our business recovery plan, which meant transferring key personnel to our backup site," says a spokesman for the organization, which requested anonymity for security reasons. "The backup site was running within an hour and 20 minutes" from the time the decision was made to evacuate, he relates.
The decision to switch over to backup IT systems, move key personnel to the backup site and ask non-mission-critical staffers to go home proved to be the right strategy, the spokesman continues. "But, obviously, there are lessons we've learned from [the aftermath of the bombings], and those are going to be implemented in ongoing iterations of the plan."
For its part, the London Metal Exchange - which is located close to where a bomb exploded between the Aldgate and Liverpool Street tube stations - also fell within a police exclusion zone. Floor trading, therefore, was suspended (it resumed the following day), although trading by phone and on the exchange's electronic platform, LME Select, continued.
Similarly, the London Stock Exchange (LSE) continued to function, although its operations were impacted. There were high levels of trading on the day, with the market moving quickly both up and down, and, as a result, the exchange implemented its "fast market" rules, recalls an LSE spokeswoman. The rules contain two elements: the first was to relieve market makers of the obligation to quote two-way prices, given the difficulty of continually updating them; and the second was to ask member firms to switch off automated trade input facilities, to prevent volatility, she explains.
The LSE spokeswoman stresses, however, that the fast market rules were formulated to maintain the integrity of the trading systems of the LSE and its members, rather than as a response to any specific event. The fast market rules, she continues, could be triggered by economic factors rather than a terrorist threat, for example. The spokeswoman declines to discuss the exchange's specific contingency plans, "as it defeats their usefulness." She acknowledges, however, that the exchange will talk to its customers to examine if anything can be learned from the July 7 events.
So how do the events in London translate to the financial markets in the United States? After 9/11, business continuity planning obviously took on a whole new level of focus, with financial services organizations of all descriptions driven by self-interest and regulatory demands to implement robust recovery and continuity plans. But the London bombings represent a different threat.
While the magnitude of the July 7 events was more contained - with considerably less loss of life, infrastructure damage and market disruption - the fact that it targeted the transportation network and was repeated two weeks later gives many in the industry pause. So, can we expect to see a frantic reworking of disaster recovery plans by market participants and a raft of new ordinances from the regulatory bodies to reflect the changing threat?
Alexander Tabb, partner and crisis and continuity services practice director with Westborough, Mass.-based TABB Group, does not believe that will be the case. While organizations initially may have scrambled after the bombings to check their plans and even fire up elements of it, he says, the impact was relatively short-lived, mainly because the financial services industry was not significantly affected.
Furthermore, emergency plans constantly are being refined and tested already, particularly among the major industry players, Tabb adds. The low level of disruption caused by the London attacks, and the fact that comprehensive BCP strategies already are a requisite, means that a new wave of regulatory action is unlikely, at least for now, he suggests.
However, the events in London, and more recently the devastation caused by Hurricane Katrina on the U.S. Gulf coast, did demonstrate the frailty of basic services upon which many rely. "What they really drove home was the message that you have to take into consideration a great many factors - you can't just say, 'We're going to move 20 miles away and everything is going to be OK,'" Tabb says. "If people can't get to work, it's an issue; if the transportation networks are shut down, it's an issue; if power is affected, it's an issue," he adds. "In London, it was the transportation networks. But the next time, who knows?"
According to Pat McAnally, senior director, professional services, SunGard Availability Services, the London bombings have caused an uptick in interest from customers. Given the transportation interruptions and the displacement of people that occurred, firms' contact and notification procedures came under the spotlight, he observes. There is a renewed focus, McNally relates, on disaster plans that address people needs - "Where do your employees go to get [necessary] information, are you taking care of them, how do you ascertain where people are?" he asks.
What July 7 reinforced, then, are the risks and challenges that come from geographic concentration, as was all too evident after the World Trade Center attacks. A few well-chosen targets can force large numbers of critical market institutions out of their buildings, disrupt utility services, gridlock the transportation system and leave key employees stranded.
Unfortunately, all the world's major financial centers face the same concentration issue, and for good reason - the synergies that come from being in the thick of the action. As TABB Group's Tabb points out, "Financial services is still about people, about contacts, about knowing more than your competition, and the way to do that is to stay on top of what's going on."
And that looks unlikely to change, at least for the foreseeable future. Instead, after 9/11, many organizations reassessed where to locate backup facilities. A lot of Wall Street firms, for example, have moved their BCP sites from the boroughs surrounding Manhattan to New Jersey or upstate New York, where more of their employees are resident, according to Tabb. "Then, if something does happen, they've identified critical staff members who, if they cannot get to the New York offices, can rapidly report to these hot sites," he says.
Of course, that still leaves some susceptibility when, as on both 9/11 and July 7, an event occurs that disables the transportation network after most people already have reached their city center offices. Getting employees off Manhattan island when all the transportation links are shut down is very difficult - as companies and commuters realized on 9/11, and then again during the Northeast blackout in August 2003. Likewise, similar challenges face firms located in Boston, Chicago, London, Tokyo or Sydney. But such large-scale events are not the only consideration when building a BCP facility.
Considerations Large and Small
For example, Harris Nesbitt, the investment and corporate banking practice of BMO Financial Group, recently built a backup site in New Jersey for its main offices in Times Square. Rather than build with the image of another 9/11 in mind, it has tried to prepare for more likely scenarios, according to Trent Gavazzi, managing director and head of technology, Harris Nesbitt and Harris Direct in New York. "A telco outage, a power outage, a flood in the data center, maybe a fire next door - something happens in our area of the city, and we can't get into our building. For those types of outages that are local to us, we have done everything we can to prepare and make sure we can recover in as short a time as possible," he says.
In the event of a broader-scale outage, it is a case of having the protocols in place and being able to react to events, contends Gavazzi. "When the entire Street is invoking BCP processes, then you have to take all the planning you've done and adjust that based on the type of outage," he says. "But it's never the disaster you prepare for."
As part of the BMO Financial Group, Harris Nesbitt also can leverage the wider organization's facilities in Chicago and Toronto to ensure that it can maintain its operations from areas outside the local BCP recovery site, adds Gavazzi. "The way the networks are orchestrated and the way we replicate data and services, we do have the ability, in a catastrophic disaster, to move people to different locations, to be able to access e-mail and files, and so on," he explains.
For smaller firms, however, the cost involved in maintaining redundant backup sites indefinitely will be hard to support, notes TABB Group's Tabb. Instead, small and midtier firms are more likely to outsource to third-party providers, which allows them more flexibility and relieves them of the overarching burden, he says.
One of the precautions regulators are pushing for is geographic diversity, so they are telling companies to be prepared to split their operations - a particular challenge for smaller firms, according to SunGard's McNally, who notes that the provider has addressed these requirements for its clients. "We have locations in major cities across the United States, and we also have a global network so that - especially if we're hosting the data - we can offer access from a variety of different locations," he says.
SunGard also has dedicated work group locations spread around the major cities that are set up "with PCs and phones and desks and copiers - all the things you need to keep running your business," says McNally. "We then tie you into your data, which can run over the global network. So we have geographic diversity, full redundancy and industrial-strength backup generation capabilities."
Continuing Focus on Continuity Planning
Still, the July 7 attacks brought BCP back into focus, if only as an impetus to double-check procedures or reassure executives about the status of their company's BCP plans. In all, continuous review of BCP seems to be the general tenor of the response in London.
Market operators and participants, infrastructure providers and the various authorities have had their disaster recovery and business continuity plans in place for some time. In that sense, it was hardly as if the bombings caught anyone off guard. As Tullett Liberty's Chapman notes, "BCP was already pretty high up everybody's agendas following 9/11, and I don't think the events of July have either raised or lowered it."
Rather, particularly in light of the ongoing threat, what can be expected on both sides of the pond is ongoing discussion, reviews of plans and, where appropriate, some fine-tuning. Such assessments will undoubtedly be helped by the Resilience Benchmarking Project initiated at the beginning of the year by the U.K.'s Tripartite Authorities - the Financial Services Authority (FSA), Bank of England and Her Majesty's Treasury. The objective of the Resilience Benchmarking Project is to determine the robustness of the U.K. financial services sector in the event of major operational disruption.
Coincidentally, full rollout of the benchmarking study - which aims to evaluate the resilience and recovery capability of key market participants and infrastructure providers in the event of a major natural or terrorist-instigated incident - was scheduled to run from June to September. Feedback from the study is due out in December and may offer some best practice suggestions based on the actual events of 7/7, according to observers.
In the meantime, the FSA's approach to BCP remains a relatively light touch. "Whilst we don't have a sort of list of 'This is what your plan must look like,' it is something that we consider needs to be tailored to an individual firm's business, and is something we would discuss with them on an individual basis," says an FSA spokeswoman.
Whatever strategy organizations employ, it is clear that business continuity planning will require a long-term commitment. The London bombings may not lead to a material change in regulatory policies or institutions' internal plans, but they already have turned up the pressure for financial services firms to get their plans in order.
On The Net