DISASTER SECURITY PLANNING AND THREAT

PERCEPTION IN CORPORATES

1.0 Objective

The objective of this paper is to familiarize you with emergency and disaster planning
which involves a coordinated, co-operative process of preparing to match urgent needs with
available resources.

The aim being to identify the threats related to the corporates and how to formulate a
response plan. A disaster management plan needs to be a living document that is periodically
adapted to changing circumstances and that provides a guide to the resources, protocols,
procedures, and division of responsibilities in emergency response.

After completing this unit, you will be able to appreciate the full range of disaster risk
management processes and also be able to:

 review the technical aspects of crisis management pertaining to corporates

 examine the effects that threat and opportunity constructs have on crisis planning
 appreciate responses to the impacts of disaster pertaining to corporates
 maintain business continuity while managing the crisis, and to guide recovery and
reconstruction effectively

1.1 Introduction

Growing threats of terrorism, natural disasters and increasing instances of social unrest
have made physical security one of the biggest concerns for corporate India. A large number of
companies feel the existing security standards, legal, regulatory and compliance frameworks in
the industry were not adequate to support corporate security requirements in India. This is
according to a survey by PwC (Pricewaterhouse Coopers Private Limited) India and American
Society for Industrial Security (ASIS).

A majority of the survey respondents felt that that the industry is not fully equipped to
promptly respond to natural disasters, which is clear indicator for organizations to take a serious
look at business continuity/crisis management strategies of organizations to effectively respond
to corporate security threats and natural disasters such as floods and earthquakes.
 However, many organizations have woken to the implications of physical security over the
past few years and there has been a conscious effort from organizations in form of additional
and proactive measures to ensure better safety arrangements. While five years back physical
security assessment was rare and uncommon, today almost 46 percent per cent of the
organizations surveyed in India conduct a physical security risk assessment once a year,
whereas 17 percent do it monthly.

Dinesh Anand, Partner and Leader-Forensic Services India (a leading firm which provides
forensic services and cyber security to the corporate world) says, “Over the past few years,
corporate India has witnessed a steady increase in the number of physical security threats and
breaches. While we have very little control over occurrences such as floods, earthquakes and
terror attacks, we do have control over the ways we can safeguard our businesses and people
against them. Unfortunately physical security takes a back seat in business operations and most
of the steps taken by organizations are reactionary rather than preventive. Organizations need
to pay attention to the potential physical security risks and do something about them.”

It is critical for security professionals and management to be aligned and work together to
identify potential strategic security threats and prepare a plan for resilience and sustenance of
their business. There is a strong need for public-private partnerships and involvement of
industry veterans in the policymaking process, besides the need for setting up a compliance
standard for baseline requirements and benchmarks for physical security. Towards this end, the
Private Security Agencies (Regulation) (PSAR) Act, 2005 also needs to be reviewed.

The reports unveils that cyber crime and corporate espionage have been rated as two of the
most serious threats to organizations in the coming years. This indicates the need for stronger
collaboration between the domains of cyber security and physical security on account of
interlinkages between the information and physical world. Terrorism being the second important
threat, organizations need to beef up their training and awareness programmes and work in
close collaboration with the law enforcement agencies.

1.2 Brief Background

At the outset we need to understand the need for the specific requirement for disaster
security planning and threat perception as far as corporates are concerned. Today the corporate
security office has emerged as one of the most critical corporate voice in identifying
preparedness vulnerabilities to leadership, transmitting the message of security awareness and
practices (behavior) to corporate employees as well as promoting a culture of anticipation of
future disasters. Simply put, “Good security is good business.” Security is at the core of human
continuity preparedness only when corporations recognize the value and need to foster a
“community of safety” rather than merely protect buildings. When security is not focused on
individual employee behaviors, day-to-day and in response and recovery from a disaster in
response and recovery from a disaster or terrorist event, human continuity preparedness; and
there fore citizen preparedness—is less effective.

The physical security environment in India is still evolving and there is a wide gap
between government policies and their implementation. Providing actionable security
intelligence was considered as a key enabler by a majority of the respondents and more than
half of the respondents (54 percent) reported the need for stringent but simplified laws and
regulations for industry and for promoting the use of common industry practices.

Security and risk management are principally concerned with the protection and
conservation of corporate assets and resources. The task of protection continues to be an
increasingly complex one in a time when technology is creating new products (and thus risk) at
an explosive rate. Add this to the crime rate -- now aggravated by domestic and international
terrorism -- and the importance of risk analysis and evaluation to design proper protection and
response becomes self-evident.

1.3 The Role of Corporate Sector

In keeping with the paradigm shift in its approach to disaster management brought about
by the Government of India and the recurring phenomenon of natural disasters impacting all
sectors of socio-economic life, including the corporate sector, and inflicting heavy economic
losses, focused attention has been given to risk mitigation endeavors to systematically reduce
the vulnerabilities. The new approach stems from the premise that development in any sector,
more so in the corporate world, cannot be sustainable and viable unless risk reduction and
mitigation measures are built into the development processes and that investments in mitigation
are much more cost-effective than expenditure on relief, rehabilitation and reconstruction.
Recognizing the gargantuan proportions of the challenge posed by recurring incidence of
natural catastrophes, association and involvement of corporate sector and their representative
nodal organizations for initiating disaster risk management measures has been considered as
integral to success of disaster management initiatives.

The corporates in every country have always played a major role in post-disaster relief,
rehabilitation and reconstruction efforts in the affected regions. Disaster relief and management
is now part of their Corporate Social Responsibility (CSR). In India, the contribution of the
corporate sector has been notable especially in the aftermath of the devastating super-cyclone
in Orissa in 1999 and the Bhuj earthquake (Gujarat) in 2001. The industrial and corporate
organizations like the Confederation of Indian Industry (CII), the Federation of Indian Chambers
of Commerce and Industry (FICCI), the PHD Chambers of Commerce and Industry and other
industry and area-specific manufacturers and traders associations have been in the forefront of
providing much-needed succor to the affected populace for ameliorating their sufferings. The
Confederation of Indian Industry (CII), with a direct membership base of nearly five thousand
industrial and corporate houses and an indirect associate membership of around fifty thousand
companies from 283 national and regional sectoral associations, was the first industry
organization to constitute a Disaster Management Committee in May 2001 as part of its
corporate set-up to advise and assist its member industries in initiating disaster risk reduction
steps to insulate industrial establishments, infrastructure and processes from the vagaries and
damaging potential of natural and man-made (industrial/technological) disasters.

CII had undertaken extensive relief, rehabilitation and reconstruction work in the
aftermath of Orissa super-cyclone and Bhuj Earthquake – adopting villages and contributing to
the reconstruction of social and community assets. Apart form addressing natural disasters, CII
has established an Environment Management Division (EMD) involved in research and
propagation of environmentally sound industrial systems and processes. It has been deeply
involved in advising and developing systems and methodologies for safer and disaster-free
handling of chemicals and other hazardous substances in production processes and
procedures. The EMD has also been assisting the industries in development and
implementation of on-site and off-site disaster management plans for ushering into an
environment friendly industrial scenario, especially in the light of experience of the Bhopal Gas
Tragedy. In addition, many area-specific industrial and commercial associations have also been
contributing towards the well-being of the community around them by adopting socioeconomic
practices aimed at improving the living conditions and generally benefiting the people at large.
For example, the Ankleshwar Environment Preservation Society in Ankleshwar, Gujarat along
with Ankleshwar Industrial Association has set up joint effluent treatment plants for medium and
small-scale industries in the industrial belt with predominantly chemical industries and has also
taken up disposal and treatment of solid and hazardous waste generated by industries and the
cities with their own expertise and finance. Industries at Ankleshwar have shown that through a
proactive and collaborative approach, environmental problems can be addressed in a
constructive manner.
 The corporate sector possesses huge resources – human, material, technical and
financial – and has significant presence in every region in the country. It also works and
interacts with the community very closely and has an important stake in the well-being and
prosperity of the community as its own progress and viability is largely dependent upon a
resilient and safe community. The accountability of the corporate sector in terms of its Corporate
Social Responsibility (CSR) has also increased as the value and reputation of a company is
being increasingly adjudged by its social behavior and by its contribution to the economic well-
being and development of the communities in which it operates. However, in keeping with the
change in focus to the pre-disaster aspects of prevention, mitigation and preparedness to mount
an all round assault on vulnerabilities and building of capacities at all levels, a lot of
emphasis has been laid on integrating the disaster risk reduction and risk management aspects
into the functioning and processes of industries. With a view to achieve this objective, active
collaboration with representative industrial organizations like the CII, FICCI etc. is being forged
for assessing and meeting the needs of corporates to have their assets and infrastructure
analyzed from the point of view of retrofitting of existing structures and ensuring safety of
upcoming industrial assets and establishments against the vagaries of nature and human
related crisis/disasters and security threats.

1.4 Resilience – The Key word

In recent years, a new consensus of the concept of resilience has emerged as a practical
response to the threats faced by organisations and from the key stakeholders, including boards,
governments, regulators, shareholders, staff, suppliers and customers to effectively address the
issues of security, preparedness, risk, and survivability.

 Being resilient is a proactive and determined attitude to remain a thriving enterprise

(country, region, organization or company) despite the anticipated and unanticipated
challenges that will emerge;
 Resilience moves beyond a defensive security and protection posture and applies the
entity’s inherent strength to withstand crisis and deflect attacks of any nature;
 Resilience is the empowerment of being aware of your situation, your risks,
vulnerabilities and current capabilities to deal with them, and being able to make
informed tactical and strategic decisions; and,
 Resilience is an objectively measurable competitive differentiator (i.e., more secure,
increased stakeholder and shareholder value).
1.5 Corporate Social Responsibility and Disaster Management

CSR permeates every aspect of the functioning of corporate sector. The corporates always
look for ways and means to enhance the brand value of their company and their products. It is
in this context that corporate social responsibility makes good business sense. It is a business
strategy that works. Nowadays, the value and reputation of a company are increasingly being
seen as its most valuable assets for retaining the loyalty and trust of the public to ensure a
bright and sustainable future. The business corporations, because of their high visibility, are
being adjudged not merely on the basis of their bottom lines but also on their social behavior. By
integrating CSR into its business strategy as a core value, the corporates not only make a
significant contribution to a better society but are also recognized for doing so. This has obvious
benefits for the company. In fact, enormous rewards are there both for the business/industrial
community as well as the society. The companies are motivated to achieve profitability,
sustainable growth and human progress by placing corporate social responsibility in the
mainstream of their business practice.

As part of their corporate social responsibility, the companies are encouraged to conduct
business responsibly by contributing to the economic health and development of communities in
which they operate; create healthy and safe working conditions to attract and retain a quality
workforce; manage risk more efficiently and minimize the negative impact of its activities on the
environment and its resources; be accountable to all stakeholders through dialogue and
transparency regarding economic, social and environmental impacts of business activities;
operate a good governance structure and uphold the highest standards and ethics while
conducting business. The corporate sector is an integral part of the society. As a member of the
community, it is its responsibility to contribute to sustainable development and to integrate social
and environmental concerns in its business operations as well as in its interaction with other
stakeholders It can play a leading role in supporting and building the knowledge, capacity and
skills of the community in comprehensive risk-based disaster management activities ranging
from prevention, mitigation and preparedness to response and recovery.

It can offer human and financial resources and can also be a precious source of technical
know-how, as for example in the case of identification and research on technological solutions
to prepare for and respond to natural disasters. In addition, the recovery of the community
cannot be complete if the business community itself is seriously affected as disasters can have
serious negative fall-out on the corporate sector. For them to acquire capacity in disaster risk
management would also entail protection of their employees and dependents. Corporate
sectors’ cooperation in reducing people’s vulnerabilities to natural disasters would also help it in
protecting its market catchment areas. In the aftermath of a catastrophe, the resources of the
community are more likely to be utilized in protecting and rebuilding livelihoods rather in
acquiring goods and services offered by the corporate sector. Thus, their involvement in
minimizing the impact of a natural event or in facilitating speedy and sustainable recovery
should be viewed as a form of investment in protecting and securing its own “sources of
livelihood”.

As an inalienable part of its CSR, the corporate sector can play an essential role in
leading and supporting the community in comprehensive risk management activities and in
mobilizing human and financial resources as well as materials for utilization during a disaster
situation. In addition to this, the corporate sector can be a precious source of technical
knowledge, as for example in the case of identification and research on technological solutions
to prepare for and respond to natural disasters. On the whole, corporate sector has the potential
for strengthening and promoting its own safety and protection against natural catastrophes as
well as in assisting the community at large in reducing its vulnerability to disasters.

1.6 Economic Impact of Disasters on Corporate Sector

At the global level, nearly 700 major catastrophes take place every year affecting billions
in different countries. The disasters periodically visit the same geographical regions and set the
development clock back by decades. It is similar to taking two steps forward and one step
backwards. In some countries, this equation even gets reversed. The repeated occurrence of
natural catastrophes undermines the economic viability of the communities as well as the
corporate sector – further impoverishing the impoverished and sapping the very soul. It is
estimated that 28 developing countries, including India, suffered direct losses of over 1billion
USD each during the past twenty years.

In respect of some countries, it amounts to an erosion of over 1% of their annual GDP. In

India, the natural disasters eroded 2% of the GDP during 1996-2001 and consumed 12% of the
Government revenue during the same period. On an average, the disasters have been affecting
nearly six million people annually in India and over six percent of the population is directly hit. In
addition, the natural disasters pose a major threat to economic development in India as
disaster-loss figures are rapidly increasing. For example, during 1965-1980, the losses were to
the tune of 2.9 billion USD while during 1981- 1995, the same increased to 13.4 billion USD.
However, this was overtopped in six years during 1996-2001 with loss figures touching 13.8
billion USD. The table below shows the catastrophe losses in India during the period in million
USDs.
 A new infographic from Boston University’s Masters in Specialty Management program
concluded why disasters should be at the top of every organization’s priority list: as many as 25
percent of businesses don’t reopen following a major disaster. That means it only takes one
severe/moderate disaster related incident to pose a major threat to company and corporate
operations.

Threat awareness (knowledge of threats) and assessment (determination of risk) are the
drivers of corporate decisions on terrorism and disaster preparedness and response as well as
the resources it assembles and deploys in responding to its perceived and actual risk
environment. There is a requirement for the organization and its business to direct its threat
assessment to expected events: e.g., catastrophic accidents, workplace safety, internal threats
of employee stealing or tampering, kidnapping, travel security, disgruntled employees, product
contamination.
 Threat perception, in contrast to assessment and awareness, is largely a psychological and
behavioral process based on perception and belief. Threat awareness and assessment have
largely been analyzed and conceived of in an operational context. The recognition of threat
perception as an additional level of planning is necessary to human/employee preparedness
and planning. A number of factors influence security and disaster threat awareness,
assessment and perception:

1.7.1 Geography: A corporation’s location, its corporate headquarters, its national

presence and its international presence, influenced its assessment of the threat of terrorism.
Proximity to sites of previous terrorist events heightened the sense of vulnerability. The actual
physical facilities of a company also in- fluenced perception of threat. Geographical barriers to
preparedness include operations in rural and remote settings, as well as international sites
where local regulations may prohibit protective measures such as employment screening.
Further, in some foreign locations, local affiliates of an international corporation may assess
threat differently from the local government with which it is conducting business.

1.7.2 Brand: Corporations consistently draw attention to their “brand”, in the context of
threat assessment. For corporate response planners, “brand” had a range of meanings
including specific product or product line, a service, or even the reputation of the company.
Brand is an important element of corporate identity. A corporation’s perception and beliefs about
their brand is a major factor in how they protect, plan for, respond to, and recover from disaster.
Brand is a core part of an enterprise that has broad meaning to people both within and outside
of the corporation. Brand is a set of attitudes and characteristics that defines the corporation in
people’s minds and serves as a point of reference. Threat assessment often focused to the
value of this emotional aspect of brand. In some instances, the threat assessment based on
interpretation of “brand” leads to a lowered perception of threat, while in others, the corporate
brand is seen as a potential reason for attack. The interpretation of “brand” is an organizing
principle that determined the steps corporations take to prepare for adverse events including
natural or industrial disasters or anticipated acts of terrorism.

In one of the studies, one corporation believed that their brand was recognized (within their
own industry) as being synonymous with a particularly high level of care for their employees.
This company devoted considerable energy to providing individual employees with evacuation
kits and personal protective equipment. This activity was not merely a symbolic gesture, but
evidence of the extent to which corporate leadership was invested in the idea that their brand
meant care for employees. As one security director remarked, “Good security is good business.
Good security protects the brand.” Another corporation assessed their threat for terrorist attack
as low because they regarded their brand as not widely recognized. They felt that many of the
corporations they supplied were more vulnerable because their products had greater brand
recognition. Thus, the company that perceived its brand as unfamiliar centered its concerns on
product contamination in the context of day-to-day business more than the likelihood of a major
terrorist attack on their products. Another corporation recognized that its name, while not that of
a product, was still a recognized brand, and removed signage containing its corporate logos
from its plants in vulnerable, foreign locations. Brand can represent multiple threats for a
corporation, and even itself be the object of attack.

1.7.3 Points of Failure: Corporations tend to organize their threat assessment and
preparedness planning around the concept of potential points of failure — critical points of
business supply, function or vulnerability to disruption. For example, critical transportation
nodes, outsourced functions, remote and international sites with questionable security
protection are all recognized as vulnerabilities in their risk environment. Businesses differ on the
number and types of points of failure they identify. Preparedness from this vantage can be only
as good as an organization’s imagination as to what the actual potential points of failure might
be. Little attention is given to additional human/employee preparedness at these points of
failure.

1.7.4 Human Continuity as Business Continuity: The traditional view of business

continuity has been focused on the infrastructure of an enterprise, i.e., its facilities and
hardware. Some but not all describe an expansion of the concept of business continuity to
incorporate the organization’s social capital— its human continuity. Corporate communications,
security, human resources, occupational health services, and leadership attitudes are seen as
vital in protecting and sustaining the human continuity of a corporation. In the US there was a
shift in priorities from business continuity to human continuity after the attacks of 9/11.
Corporations undertook a number of measures to support this. Examples include the creation of
backup work sites, redundant information systems, use of virtual offices, having a disaster
communication plan, and expanded use of communication technology, such as Blackberries,
web-based company intranets, and maintaining frequently updated personnel lists (both hard
copy and electronic) which managers carried with them when not at the office.

1.7.5 Critical Event Preparedness: Another challenge to human continuity is anticipating

what types of events to prepare employees for. Furthermore, when an event occurs, it is often
hard to get information about exactly what has happened. Thus, employees and managers go
through a period in which critical decisions must be made, but they do not have complete
information about the nature of the event. Corporate leaders interviewed in the same study
noted that in the aftermath of corporate disasters they needed to rapidly develop plans for
making quick decisions with incomplete information—and not letting the lack of information
prevent them from taking some form necessary action in a timely manner. This observation has
been reported in other threat situations as well. In an incident in which a small plane
encroached on restricted airspace in the Washington, DC, area, officials did not know whether
to respond to the threat as a potential bomb/explosive event or a chemical/biological attack. The
Puralia arms drop case in India had similar ramifications and a confused response. Even when
programs have been put in place to ensure or improve human continuity, it is difficult to know
until an event occurs whether the right programs have been put in place and whether they have
worked.

1.7.6 Corporate-Community Cooperation and the Public-Private Interface: No

corporation is an island. Corporations generally realise the need to rely on community resources
and to respond to community needs. Terrorism preparedness and response requires
coordination and cooperation between the public and private sectors including a company’s
community or communities, as well as state and central agencies. Public/private interface
around terrorism and disaster preparedness can range from issues of research, to sharing and
interpretation of threat information, to the role and resources of a business in response to a
major disaster and to the local fire department and law enforcement in responding to corporate
needs. Corporations also identify numerous barriers to effective public/private interface. One
barrier is the perception that the central government will take care of disaster preparedness and
response. This discourages self-initiatives and allocation of resources at the individual,
company, and corporate levels. Another issue for the corporations is the potential that
proprietary information may become available to their competitors. In addition, there is a
reluctance to shoulder the financial costs of research, especially when that research might
benefit competitors. Doing “good” for the nation, while valued by corporations, is not always
good for business, and corporate leaders recognize their fiduciary responsibility to stockholders
as foremost. The same factors that discourage joint public/private research endeavors also
discourage research collaboration among corporations.

1.7.7 Training: Corporations have training programs invariably aligned to more general
discussions about safety, health, leadership, and communication. Some of these areas and
topics do involve trainable skills, especially in relation to a disaster or terrorist attack. In some
companies, training is focused on the safety of everyday operations and is conducted regularly.
In these companies, there is very little training specifically geared to terrorist events, threats and
security breaches. Many of the skills taught in safety training are applicable to only one kind of
preparedness (e.g. only earthquake or flooding or fire).

1.7.8 Cost: Expense is a barrier to more extensive training for specific terrorism and
disaster preparedness. Some corporations have the money to implement expensive exercises
and to secure the services of outside consultants who can develop, conduct, and evaluate
sophisticated exercises. However, these exercises are for senior management who strategize
from the top down, and are not intended for employee preparedness. Drills devoted to employee
preparedness, such as evacuation drills, are not uniform and frequently are not taken seriously
by the employees themselves. When preparedness is optional the issues of cost, and therefore
affects on the bottom line, are substantial. If mandatory or required by regulation this
competitive loss is equalized across and industry.

1.7.9 Fear of Increasing Anxiety: Some corporate managers fear that training for terrorist
and disaster events can raise employee’s anxiety. However, the informants interviewed by the
study team were not able to identify any specific examples of this having occurred. In contrast to
this view, corporations that directly experienced labor problems, earthquakes or floods believe
that conducting regular drills and communicating openly about preparedness issues empowered
employees and made them less fearful. Furthermore, security leadership in these corporations
that were affected recognized that training builds behavior that will maximize positive outcomes
in the event of a terrorist attack or a disaster. Preparedness is not instinctive; rather, it is a set of
learned skills and behaviors.

1.8 Preparedness-The Best Defence

Preparedness, at the “macro” level, and for the individual employee, is motivated by threat
awareness, threat assessment, and threat perception. Defining events—a corporation’s
historical experience with crisis and understanding of past responses—shape the identification
of potential future threats and efforts to prepare for these events. Other factors influencing threat
identifi-cation include geographical location (particularly the location of corporate headquarters)
and degree to which the corporate “brand” is perceived as a potential terrorist target. Points of
failure (e.g. as critical nodes for material supply, vulnerable geographic locations, or relatively
unsecured or unprotected corporate functions or processes) are organizing principles upon
which corporations based concerns about future business disruption and hence, preparedness
efforts.

In addition to corporate security, the divisions of employee assistance, personnel/human

resources, occupational health (medical and Employee Assistance Programs (EAP)), and senior
corporate leadership (e.g. President/CEO) served primary functions in establishing a corporate
culture of preparedness. Coordination between these offices are crucial to comprehensive
preparedness planning and response (e.g. translating this culture into a “climate” in which
individuals altered their planning and behaviors to protect themselves and their families and,
therefore, the corporation. The degree to which all of these divisions are involved in the planning
and response processes vary across corporations as do their integration in the preparedness
process. The extent to which these service divisions (particularly occupational health) are
internal versus outsourced to vendors substantially affect the level of attention given to and
degree of participation in preparedness efforts. This affects both knowledge of present
corporate needs and planning for internal and external (i.e. contracted for) services critical to
human preparedness. There are four main reasons why natural disasters can be so impactful to
unprepared firms:

1.8.1 Damage to Assets and Physical Property: This is probably the most prominent
risk that businesses need to consider. When natural disasters strike, they often do substantial
damage to physical assets. Company buildings and property may be damaged, or equipment
could also be ruined. For instance, Eurogamer recently reported that UK based videogame
developer Hello Games recently lost everything after a nearby river broke its bank resulting in a
natural disaster. Computers, monitors, furniture, doors and a wall were all lost due to water
damage and to make matters worse, insurance didn’t cover the incident because the firm was
located in a flood zone.

1.8.2 Damage to Raw Materials: Natural resources are another direct organizational loss in
many disasters. For example, cold weather can destroy crops or a wild fire could destroy timber
being collected and stored. As is the case with physical damage to assets, businesses can
calculate precisely the damage done by disasters to raw materials.

1.8.3 Supply Chain Disruptions: Unlike the previous two loss categories, supply chain
disruptions are indirect organizational losses that may be a bit more difficult to calculate. The
more corporations rely on supply chains, the greater the effect of a disruption. For example, if a
manufacturer relies on shipments of raw materials, production could be severely delayed if a
main road gets washed out due to a flood. In turn, this could lead to delayed shipments of
finished goods to retailers, which may even affect contractual obligations. Of course, if supply
chains aren’t so tightly run and aren’t as important, then the damage may not be as severe.

1.8.4 Workers are Unable to Do Their Job: This is another indirect organizational loss.
During severe weather events, people may not be able to attend work or even if they can, they
may not be able to operate at peak efficiency. Power outages, Internet outages, inability to use
the appropriate tools and other similar issues may cause downtime, which can lead to
significant losses.

Disasters therefore can cause a lot of issues for companies, in terms of both direct and
indirect losses. This is why businesses must make natural disasters a top priority in their risk
management efforts. According to the University of Boston infographic, organizations can
effectively manage natural disaster risk by simply investing in disaster preparedness.
Businesses should consider all the different impacts of man made and natural disasters, ranging
from lost sales, damage to property and income or to regulatory fines. From there, steps such
as uninterruptible power supplies to better site selection and disaster preparedness can be
taken to mitigate – if not outright prevent – many of the dangers associated with corporate
threats.

1.9 Crisis Management, Planning , Training and Testing

The impact of a terrorist strike, corporate espionage/sabotage, earthquake, hurricane,

tsunami, or any other disaster can be devastating to an organization, its finances, and its
employees. Damage to businesses and infrastructure — on top of the damage to lives — can
linger for weeks, months, or years.

The critical task for businesses, particularly those operating in vulnerable regions of the
world, is to ensure they have crisis management plans and experienced real-time crisis
response personnel in place to mitigate the potential impacts of a natural disaster and return to
normal operations as quickly as possible.

An effective response is the result of a comprehensive corporate preparedness and crisis

management program that creates an overarching decision-making framework that orchestrates
and aligns an organization’s various incident- and site-level response activities, including:

 Emergency response.
 Business continuity.
  Supply chain.
 Crisis communications
 Human impact.

While each component of effective crisis preparation and response is critical, it is often
the human side of a disaster — particularly the impact on employees and their families — that is
the most difficult to manage and, ultimately, the most important when returning an organization
to some semblance of business as usual.

Preparedness, rehearsals and effective response and crisis management plans and
procedures are therefore a necessity in any organization. A reality check to determine whether
the current crisis management and response plans are adequate to help the management deal
effectively and manage information needs and situations as they arise must be done regularly
and the management needs to assess--

 Do we have the tools, structure, and resources to proactively manage the

situation and anticipate possible consequences?
 Is our process enabling us to effectively manage our information needs and the
range of issues as they arise?

 If our organization is not in the midst of a crisis, what can we do to be prepared?

1.10 Need For Real Time Crisis Response

The standard decision-making approaches or management structures that one relies on

day-to-day will no longer work in a crisis. The requirement of a Crisis Management Team for
supporting the organization, employees and clients during some of the most severe, high-profile
events — whether physical events (such as natural disasters, industrial accidents, and
workplace violence) or non-physical issues (including litigation, data breach, and investor
activism) is unavoidable in the present day scenario.

Because a crisis can strike at any time and an immediate response is required, a Crisis
Response Team should be available 24/7 to provide counsel and personalized support to the
organization and senior leaders. Good planning and foresight will help manage the crisis,
mitigate the potential damage, protect corporate reputation, and, ultimately, safeguard the
organization. A well structured plan will also provide access to a full range of additional real-time
response solutions that are available to further assist recovery, including loss assessment,
claims management, claims advocacy and damage control.
 The ability to manage a crisis successfully is the result of understanding risks and
vulnerabilities, comprehensive planning, regular exercises, and a strategy for maintaining these
capabilities. A systematic approach to help manage crises can be achieved by-

 Assessing preparedness and benchmarking existing plans against best

practices.
 Developing a crisis management plan that enables management to respond to
any issue or event and manage it effectively.
 Training and exercising Crisis Management Teams to validate plans and
procedures.

Providing security for facilities and personnel in post-disaster environments is another

requirement often tended to be overlooked. Even in the best-prepared communities, factories,
industries and large corporations, the magnitude of public safety issues, unpredictable
consequences, and non-functional infrastructure can easily overwhelm public authorities and
limit the capacity of local government/police to respond to general emergencies. Traditional
security agencies, reliant on local personnel and infrastructure, are often unable to sustain
effective operations under such significant demands without special access to outside sources
of food, water, fuel, and personnel. As witnessed during the Bhopal Gas Tragedy and later
during Hurricane Katrina a few years back, organizations that fail to predict these problems in
their disaster recovery planning by relying on local public safety and security providers often find
themselves unprotected and at a loss for a correct course of action and mitigation of the
problem at hand.

1.11 Corporates and Cyber Security – A New Dimension

Corporates are a prime target as far as hacking is concerned and cyber security assumes
immense importance in the overall security planning and threat perception.
 To give an example as far as corporates and cyber security are concerned, Walmart, one of
the top companies in the Fortune 500 list, hasn't been immune to cybersecurity breaches.
According to an investigation by Wired in 2009, hackers broke into the computer system used
by the company's development team to steal information from cash registers. That data then
found its way onto a computer in Eastern Europe. In 2009, Wal-Mart's Chief Privacy Officer said
the company was doing its best to "segregate the data, to make separate networks" and to
"encrypt it fully" to safeguard from future data hacks. In one of the tech industry's racier
scandals of 2014, hackers broke into the iCloud accounts of a number of Hollywood celebrities
and made off with nude photos. Celebrities targeted included Jennifer Lawrence of "Hunger
Games" fame, model Kate Upton and actress Kirsten Dunst. At the time, Apple released a
statement saying the breach wasn't system-wide, but rather due to specifically targeting the
celebrity accounts. "None of the cases we have investigated has resulted from any breach in
any of Apple’s systems including iCloud or Find my iPhone," according to a statement. The
timing, however, wasn't the best for the company, with its announcement of the new iPhone 6
phones slated for a few weeks later.

The biggest mistakes companies make with data security are failure to understand the true
threat against their employees, suppliers and ultimately, their data.

 Failure to have a cutting-edge comprehensive Information Security plan.

  Failure to view data security as a "business problem" and not just an "IT
problem."
 Failure to view data security as a 3-D ecosystem.
 False reliance on an obsolete ‘perimeter protection' strategy vs. ‘data-centric'
strategy.
 False reliance on cyber products and anti-virus.
 Failure to classify data and trade secrets.
 Failure to properly train and certify employees, contractors, vendors, suppliers.
 Failure to understand the true significance of Insider Threat.
 Failure to use ongoing intelligence to shape and strengthen their data security
strategy.

What is a data breach? The definition seems obvious for any organization. A data breach
occurs when data that was supposed to be protected from unauthorized access is exposed.
What may not be as clear cut is all of the ways that sensitive data can be compromised. These
include malicious attacks, accidental mistakes, and employee incompetence. Confidential
information can fall into the wrong hands during electronic file transfers, accessing lost or stolen
devices, or as a result of hackers' infiltration into a company's servers. Even sending an
unsecure email could qualify as a data breach, depending on the information it contained.

Data security breaches normally take place because of the following reasons:

 Emailing unencrypted data.

 Having unencrypted data on mobile phones.
 Taking sensitive data home on work computers.
 Re-using passwords.
 Sharing passwords.
 What is a data breach response plan? As complex as the causes of data breaches can be,
the steps for responding are fairly straightforward, though time-consuming, stressful, and
expensive. Dealing with the breach will be monumentally more challenging if you don't already
have a data breach response plan in place.
Generally agreed upon steps include:

 thorough, extensive documentation of events leading up to and immediately

following the discovery of the breach.
 clear and immediate communication with everyone in the company about what
happened, and how they should respond to any external inquiries.
 immediate notification and activation of the designated response team, especially
legal counsel, to determine whether law enforcement and/or other regulatory
agencies need to be involved.
 identification of the cause of the breach and implementation of whatever steps
are necessary to fix the problem.
 development of messaging and deployment schedule for notifying those whose
data was compromised, based on counsel from lawyers who will review state
laws, compliance regulations, and other mandates affecting what the messaging
must say and how soon notification must occur, as well as what compensation to
affected victims should be provided.

1.12 Formulating a Disaster Response and Mitigation Plan

Every corporate, industry, manufacturer, office complex, commercial center and establishment
(viz airports, railways, airlines, malls etc ) needs to have well structured SOP's and disaster
management plans in place so that when the need arises, swift response is inherent to foresee,
reduce, mitigate and react to any eventuality. The requirement is to prepare a disaster
management plan for its area of operations according to the circumstances prevailing in the
area; co-ordinate and align the implementation of its plan with those of other organs of state and
institutional role players; and regularly review and update its plan.

The aim of any response plan is to ensure that disaster recovery solutions are rapidly
deployed. Disasters are a ramping threat in today’s efficiency-driven business world. Modern
corporations make use of tightly run supply chains to minimize redundancy and maximize their
budgets. On top of that, with urban centers becoming hotspots for burgeoning businesses, the
fact that a single company can be crammed into a single, multi-floor building can lead to issues
if a natural disaster demolishes that one spot. The plan should:

 Form an integral part of the local disaster management and security plan.
 Anticipate the likely types of disaster (natural/man made) and security breaches
including cyber attacks and terrorism related incidents that might occur and their
possible effects.
 Identify the communities, infrastructure, employees and corporate structure at
risk.
 Provide for appropriate prevention and mitigation strategies.
 Identify and address weaknesses in capacity to deal with possible disasters,
unrest and security breaches.
 Facilitate maximum emergency preparedness.
 Establish the operational concepts & procedures associated with day-to-day
operational response to emergencies by local, state and national authorities.

Contain contingency plans and emergency procedures in the event of a disaster, providing
for – The allocation of responsibilities to the various role players and coordination in the carrying
out of those responsibilities; Prompt disaster response and relief; Disaster recovery and
rehabilitation focused on risk elimination or mitigation; The procurement of essential goods and
services; The establishment of strategic communication links; The dissemination of information.

The purpose of the plan is to outline policy and procedures for both the pro-active disaster
prevention and the reactive disaster response and mitigation phases of Disaster Management. It
is intended to facilitate multi-agency & multi-jurisdictional coordination in both pro-active and
reactive programs.

1.13 Recommendations
 Corporate security should be positioned, and should have the knowledge and interest for a
leadership role for human continuity preparedness. Education of this group regarding the means
to building “a community of safety” will enhance their ability to perform in this capacity and build
a vision of this role.

Medical Directors, Health Officials, Hospitals and Health Ministry are under-identified as a
critical component of corporate human continuity. Their distance from corporate decision
making should be reduced as it currently limits their contribution to assessing threat of, planning
for, and responding to the health implications of terrorism—especially bioterrorism and
infectious disease outbreaks with population-health implications (e.g. SARS, Avian flu).

Employee Assistance Programs and Occupational Health require knowledge of evidence-

based and evidence-informed interventions to mitigate, respond to and foster recovery from
disasters.

Integration, collaboration and cross functionality of roles within corporations in human

continuity planning is critical for, responding to and recovery from terrorism to include corporate
security, employee assistance, medical, human resources, and corporate communications.
Preparedness initiatives must promote this integration.

Defining events are central to the manner in which preparedness is integrated into or absent
from corporate human continuity preparedness. Changing preparedness and response behavior
must build upon the experience, lessons, and language of defining events. Finding unified
concepts, operations, and cultural supports that resonate with existing corporate disaster
paradigms for each corporation as well as language that addresses human continuity aspects of
disaster response is needed. In general, talking about “terrorism preparedness” per se is not
easily understood in the corporate world, nor easily implemented. In order for terrorism
preparedness to be understood and implemented it requires “translation” into the defining event
language of a specific corporation’s history experience with a disaster or critical event.

Since corporations are part of communities in which they conduct operations around the
globe they are components of local, state, federal and private networks. Coordination at the
local level across these boundaries is necessary for human continuity planning for terrorism,
disasters and critical incidents. From fire planning to daycare and inoculation for biological
events (influenza to bioterrorist agents) the boundaries of corporations and their communities
are porous and require resourcing and planning to meet human continuity and preparedness
objectives. Education on the issues of community planning and response are particularly
needed for the core preparedness functions (e.g. security, employee assistance, medical,
human resources and communication).

1.14 Summary

Disaster Management, Security Planning and Threat Perception being all-encompassing

and multi-disciplinary activities spanning across all sectors of development, a coordinated action
in conjunction with all stakeholders including the corporate sector is a sine qua non for
overcoming the vulnerabilities and minimizing the risks. It will not only help pooling of resources
but would also facilitate exchange of information and expertise across sectors, learn from each
others’ experience and best practices. The objective of disaster management initiatives is to
consciously move towards strengthening the national capabilities in accordance with the status
acquired by India as a self-sufficient and self respecting nation well-positioned to mount an
effective and substantive disaster response and to take care of the concerns vis-à-vis disaster
management across different sectors.

In the aftermath of the recent tsunami crisis too, the response of the government, the civil
society, the voluntary organizations and the corporate sector has been exemplary in spite of the
geographical constraints and the extent and sweep of operations and has earned appreciation
from the international community. The governmental efforts have received commendable
support from individuals, organizations, the corporate sector and the society at large. The crisis
has brought out the best in our society and the entire nation has risen as one entity to meet the
grim challenge posed by this unprecedented catastrophe of gigantic proportions through
voluntary and meaningful contribution from every stakeholder. However, effective disaster
management is a long-drawn battle against the formidable forces of nature and necessitates
devising a comprehensive strategy and work plan based on the lessons learned and
experiences gained from every disaster.

The shortcomings and gaps need to be addressed and successes built upon. The
Government of India as well as other stakeholders including the corporate sector have
reaffirmed their commitment and resolve to achieve the objective of moving towards a disaster
resilient and safe nation. The task is arduous and the challenge ominous. However, the
roadmap is well-defined and clear. No effort will be spared and no constraint would be allowed
to impede the progress towards creating a safe and disaster-free nation and the challenge
thrown by successive disasters will be converted into an opportunity for further strengthening
disaster risk management measures.
1.15 References

 Gabriele G.S. Suder, 'Corporate Strategies Under International Terrorism and

Adversity', Edward Elgar Publishing, 2006, ISBN 1847200222, 9781847200228.
 Jane Bullock, George Haddow, Damon P. Coppola, 'Homeland Security: The
Essentials', Butterworth-Heinemann, 2012, ISBN 0124158684, 9780124158689.
 John Rittinghouse, James F, 'Business Continuity and Disaster Recovery for
InfoSec Managers', Digital Press, 2011, ISBN 0080528333, 9780080528335.

1.16 Further Reading

 http://naturalhazardscience.oxfordre.com/view/10.1093/acrefore/9780199389407
.001.0001/acrefore-9780199389407-e-12
 Smith, S. ‘AVA’s Dynamic Tree Analysis’, Proceedings of the Twelfth National
Computer Security Conference, Baltimore, MD, 1989.
 Weiss, J. ‘A System Security Engineering Process,’ Proceedings of the
Fourteenth National Computer Security Conference, Washington, D.C.,
1991.

1.17 Model Questions (Essay Type)

 What is the role of corporates (CSR) in disaster management and disaster

mitigation?
 How do disasters have an economic impact on corporates?
 Explain briefly the importance of threat awareness, threat perception and threat
assessment in the corporate scenario.
 What is the importance of cyber security vis-a-vis corporate threat perception and
security planning ?

1.18 Model Questions (MCQ)

 The corporate sector possesses huge resources in terms of-

(a) Humans, material, technical and financial knowhow

(b) Machinery and generators

(c) Information technology

 Ans: (a)

 Environment Management Division has been established by-

(a) Ministry of Home Affairs

(b) FII

(c) MCA

Ans: (b)

 Threat perception, in contrast to assessment and awareness is largely a-

(a) Psychological and behavioral process based on perception and belief

(b) Is a function of security forces

(c) Is not a part of corporate structure and planning

 Data security breaches normally take place because of the following reasons-

(a) Un-encrypted e-mails

(b) Natural disasters

(c) Heavy rains

Ans: (a)

 Every corporate, industry, manufacturer, office complex, commercial center and

establishment (viz airports, railways, airlines, malls etc ) needs to have:

(a) Well structured and rehearsed response SOPs

(b) Security personnel

(c) Chartered accountants