WEDNESDAY 10 APRIL 2002

MR JOHN SHARP, MR DAVID GAMBLE AND MR PAUL WOOD, MBE

  720.  Thank you so much for coming. We are deep into our inquiry now. I mentioned to you outside that it is not normally something that the Defence Committee would do, but we do not have quite the same institutional loyalties that perhaps other committees might have and we were left with the role that needed to be played by Parliament and we are doing it, so we have looked into this and we are looking at the military, local authorities, the private sector, the police, ambulance and fire services, and seeing where they can better be integrated. There is less attention given to the role of the private sector but the private sector is critically important. In some ways the public sector has a lot to give by way of expertise to the private sector but I strongly suspect that good companies and good operations in the private sector can give infinitely more advice to the public sector. You have gone through a number of crises over the years vis-a"-vis terrorism and, pretty obviously, continuity and resilience are words used very, very frequently amongst companies that are truly aware of what is happening. The first thing I wanted to ask is an all-level question which is how would you define business continuity and resilience?

  (Mr Sharp) If we look at the definition of business continuity, which can apply to any organisation whether it is a commercial, not-for-profit or government organisation, then it is a process by which organisations are able to identify the incidents—and we use the word "incidents" rather than "disasters"—which can affect the mission critical processes of an organisation whatever that may be and having identified those mission critical areas for it to have in place appropriate plans which are both coherent across the organisation but, most importantly, rehearsed to deal with any incident that may occur. The issue we have got here is mission critical and understanding what is critical for the organisation. That does not matter, as I said before, whether you are public, private or government, each has a mission to deliver, and clearly those are the things that one should protect.

  721.  The terms continuity and resilience are often treated interchangeably. Can you clarify it further?
  (Mr Sharp) The way I perceive it is that resilience is one of the things that you build in in order to build continuity so it is your techniques of ensuring that your organisation can continue in business. I do not know if you would agree with that?
  (Mr Wood) I would not disagree with anything that John has said. I think it is all about the continuity of our business operations. The big difference that businesses are starting to think about with regard to business continuity and planning is we have shifted away from what was called "disaster recovery" which is what people were planning for, which is the inevitable disaster, to how we can sustain our operations, not just in times of major incident but in times of all sorts of difficulties—so other factors that might affect us from the outside world or from the outside community. The other issue that we have changed our emphasis on is that inevitably historically we have focused on the survivability of IT systems and we have focused just on information technology where, in fact, we need to broaden that scope and look at our knowledge of operations, our business knowledge, our centre of core processes, and understand how we can build resilience into that. If we lost all our key knowledge, which is very focused in our minds post-11 September where businesses lost their entire management structure and their entire core knowledge of how their business operations continued, how we can build in resilience to make sure that we do not suffer that sort of loss. We have stretched beyond what was originally just a focus on information technology.

  722.  How many and what kind of companies are really into this?
  (Mr Sharp) We have recently done a survey supported by one of the government departments with the Institute of Management looking at the type of organisations doing continuity. Commercial organisations are the major drivers. You probably again would agree that the finance sector is the biggest driver here. The survey was carried out across 5,000 companies of all sizes and all types and disciplines. What we found there was that only 45 per cent of those organisations have business continuity in place, so there are a lot of people who believe they have processes in place but when you get down to it they have not got proper continuity. It is concentrated currently in the major financial organisations, major retail organisations, and coming into some major manufacturers. It has not percolated down into the small and medium businesses yet.
  (Mr Gamble) We certainly have it in the oil industry.
  (Mr Sharp) Indeed we do.

  723.  What sort of documents should we be looking at then to have a real flavour or concept of business continuity and resilience? There must be textbooks. I have been to a few conferences. If you have time, could you just give us a flavour. I would certainly love to come along and talk to you individually on this because I think it is not just a fascinating but a very relevant subject. Is the expertise you are seeing being passed on to government departments? Are government departments equally aware of the threat to their operations as a result of a major fire or some catastrophic attack?
  (Mr Sharp) We started working with the DTI and what is now the Government Office of Commerce, the CCTA, back in 1999 as a result of the work that was going on to put continuity in place for the year 2000 in government departments. It was identified to us that the Cabinet Office would make the assessment of plans that were going to be presented but there were no effective measures to evaluate those plans. So we worked with the DTI and the CCTA, as it was then, and also with the insurance industry to produce evaluation criteria.. We then went on to produce a guideline for continuity management, something I submitted by e-mail last night and which will be in the papers you have. That again has been supported by government organisations, the CCTA and the DTI, it tries to encourage a common approach to continuity. What has happened subsequent to 11 September is that the Government Office of Commerce issued a guideline for all government departments and agencies on continuity and that was based on the guidelines that you have in front of you. I have a copy of that with me.

  724.  That would be really helpful.
  (Mr Sharp) I can get that to you. There is an awareness and the Civil Contingency Secretariat is beginning to try and promote it. The Department of Transport, Local Government and the Regions has recently sponsored some work because of the fuel crisis. Again it was the same, to try to promote and encourage. The feedback I get from a meeting I attended at the Civil Contingency Secretariat is that perhaps government departments are not taking it as seriously as they should.

  725.  Can you give us some picture as you see it of 11 September. Are memories fading, do people think they are over the worst or was it a real wake-up call to the private sector?
  (Mr Wood) I do not think that people are having fading memories of it. It has certainly served to heighten the attention of business management and senior business management that this is a risk that is more significant than they perhaps perceived before. It was a huge awakening to the US and to the US community in general. Indeed, I think it was the first real recognition that terrorism had hit them in the homeland and it has hurt more than they ever anticipated. Because of our long history of indigenous terrorism within the United Kingdom it has been at the forefront of our minds. This was the very first time that the people have appreciated that we have a different type of terrorist, willing to enact his terrorism on our own doorsteps and not worry about the catastrophe that comes or the loss of life that will follow and who is also not concerned about their individual, personal loss of life. So we are seeing a different focus for how terrorism is being fought and being brought to us. I think it has caused organisations that have a global structure like ourselves (where we have representation in many countries) to understand that the risk is very real and that the risk to us because of our association with the US or other areas and because of the way in which the UK has stood as a staunch ally with the US that we are probably at more risk than some of our European counterparts.

  726.  Have there been examples in recent years of companies who have not had disaster recovery plans who have now been fatally injured as a result of their lack of preparedness?
  (Mr Sharp) It is not a terrorism incident but—and this is House of Commons water I see—there was a classic incident with Perrier—

  727.—Of course.
  (Mr Sharp)—Who failed to deal with a minor problem and saw it escalate and the consequences of that. I would also point you toWoods BNFL and the issues of BNFL and the consequences of that.
  (Mr Gamble) In Japan at the moment Snowbrand, which has almost gone out of business because of the way it has been sending out contaminated milk, is another example. If you get it completely wrong and you do not have the management in place you can eventually lose your reputation. I suppose in a way Enron is another example of a failure of management.

  728.  It had nothing to do with management failures!
  (Mr Sharp) And Andersen's as well. But you asked, Chairman, about whether or not people are still paying attention to the events following 11 September. Certainly my members because they are the buyers of insurance are extremely interested because not a day passes without some insurance company deciding to withdraw some cover. That goes back to 11 September.

  Chairman: We will come on to that. Kevan?

  729.  Clearly amongst yourselves there is a lot of experience in terms of this type of work and I hear what you have said about having discussions with the government and the Civil Contingency Secretariat about promoting it in business. Have they come to you to ask for any assistance or tried to draw upon the expertise that you or other organisations have got in this to look at putting in place the review that is currently going on about preparations post-11 September in United Kingdom policy?
  (Mr Sharp) I was invited to come and talk to the Civil Contingency Secretariat very early on in their work when they started business continuity resilience and they have now asked us to work very closely with them in promoting best practice and helping them also to focus on how we could improve the resilience, so that is one area. I would like to come back a little bit later to address that.

  730.  That is promotion. Have they asked you for models that you use to adapt for government use?
  (Mr Sharp) The Government have adopted one model already and issued that, of which the Civil Contingency Secretariat are aware. The FSA are an interesting body because they have asked us to give them advice and help. They are encouraging and supporting us in a group that we have now formed from across the finance sector to develop good practice guidelines and evaluation criteria. I use the word "encourage" because our Regulators are reluctant to endorse and reluctant to actually require, and that is light-handed regulation.
  (Mr Wood) I would echo that issue in terms of we would as an industry, and certainly within the financial sector, appreciate a firm set of guidance from the Regulators as to what they are expecting. These woolly ideas that they think are best practice against essential practice or good practice and not knowing to what level they want to assess our preparedness is confusing and is not good for business. If they articulated clearly what they are expecting and what they would want to see, we would all be in a better state of preparedness to look at it. They could judge us all on an equal footing as to where we are and what we are going to do.

  731.  Do they have that expertise?
  (Mr Sharp) No and they are turning to us to help them with that expertise.
  (Mr Wood) That is fair to say with regard to some of the regulatory authorities. In fairness, there are elements of government departments that do have it. I think probably the defence sector is keen that there is a good understanding and as a retired serving officer I would echo that that is probably where I gained a good percentage of my knowledge. But then you develop it and put it around the business spin and the issues you need to put into practice in business operations. Certainly they are used to dealing with incident management, they are used to dealing with serious problems, and they have got a fair amount of experience and training from that.

  732.  I accept that but that is one department.
  (Mr Wood) I agree, it is only one department.

  733.  For example, let us say 11 September or something similar happened here and wiped out many Inland Revenue records or some other department's records.
  (Mr Wood) Absolutely.

  734.  That might bring a sigh of relief!
  (Mr Sharp) Is that a recommendation from this Committee!

  735.  That would create real problems. To what extent are government prepared for something like that to put contingencies in place if that were to happen or if some other main database or collection were affected by an act of terrorism?
  (Mr Wood) It is difficult for us to comment on a particular department because we are not aware what planning is there but I know again from my previous background when I was instrumental in looking at national key infrastructures and critical installations and critical key points and therefore the planning and contingency work around that sort of activity is done and is prepared and is thorough and does look in some detail at what is necessary to keep UK plc going. I think you are correct in saying that the large institutional parts of government that have these masses of records do need to think very carefully about how their contingency plans are and whether they are prepared and, more importantly, going back to the point John made, they then need to rehearse them because without rehearsal there is no point in having the plans in the first place.

  736.  You are perhaps not aware of the detail but post-11 September has the Civil Contingency Secretariat asked you for any help?
  (Mr Wood) I have to admit to not even understanding or knowing what the Civil Contingency Secretariat is about.

  737.  You are lucky!
  (Mr Sharp) They are certainly looking to map out the critical infrastructures and then they are trying to identify how resilient that is and they want to publish this infrastructure map. I have suggested that they should identify the weaknesses and plug them before they publish it.

  738.  We are now a few months on. Is that not quite a fundamental situation in terms of mapping it out? We do not know what bits, before you publish, need protecting. I agree with you that it is perhaps best not to publish it until the plans are in place to protect it. Is that not a fundamental starting point?
  (Mr Sharp) That work has been going on and was going on before 11 September. It was going on because of the fuel crisis and then foot and mouth forced it on, but the fuel crisis really drove it. We think 11 September has serious consequences but the fuel crisis had far greater consequence for the UK and has driven many people in departments who were involved in the COBR activities to focus very clearly on trying to clear up the inconsistencies and failures of our systems. Coming back to the Inland Revenue, if you take that and many other government departments they have outsourced IT processing to the private sector. This morning I was reading a paper from a serving military officer about the resilience of the Pay Units and how effective the continuity processes of the Pay Units were, which have now been outsourced.

  739.  Was that because the private sector chose to do it as a matter of course or were they told to do that by Government?
  (Mr Sharp) It comes back down to what is in the contract.
  (Mr Wood) It is very much dependent upon how the service level agreement is put in place and what you are specifying and whether you are conscious of the fact that we need to specify it in the first place. That is the issue and I do not think that has always been the case.
  (Mr Sharp) Contracts that are in place do not necessarily have effective continuity in them.

  Mr Jones: That might be an area to look at.