We are rapidly approaching the tenth anniversary of that tragic day in September when terror struck New York City and Washington D.C., friends and acquaintances were lost forever, and crisis management, business continuity and disaster recovery were no longer thought of as obscure business practices.

Time has a way of healing wounds and allows the pain and suffering to fade. Unfortunately, time also has a way of making us forget the lessons we learned and permits us to return to the bad habits and practices we held prior to September 11, 2001.

The German writer Johann Goethe said, “The greatest tragedy in all of life is to experience the pain, but miss the lesson.” As we remember those who died in the World Trade Center, Pentagon and United Flight 93, we should also revisit the lessons to come out of this event — to ensure that we have not regressed back to our old ways.

Communications, Communications, Communications

One of the most important lessons learned from 9/11 was the importance of reliable communications tools and practices during a crisis. In Manhattan, land lines were compromised and cell phone towers overburdened — inaccessible for the most part. At the time, some were able to communicate on their Blackberry devices; this was largely due to the fact that the user community was not so large as to over tax the infrastructure in place to support it.

The waterfalls are tested at the National September 11 Memorial at the World Trade Center site, Friday, July 15, 2011 in New York. The memorial will be dedicated in a ceremony on September 11, 2011, the tenth anniversary of the terrorist attacks. One World Trade Center, center, rises above the site. (AP Photo/Mark Lennihan)

Regardless of the particular communications tool you use, the lesson here is to ensure that you have alternatives and contingencies in place should one or more communications channels be impacted by an event.

We also learned the importance of communicating with the right people. Many organizations communicated with their impacted employees and customers, but — as I learned from talking with a number of large, international firms after the event — the importance of communicating with remote regions and offices outside the immediate footprint of the crisis was often overlooked.

In many cases, companies’ domestic and foreign offices complained that they were not in a position to answer questions about their own New York offices — the head office, in many cases — because they were not getting any direct information. Many were forced to gather information through the media and other channels.

Since 2001, the phenomenon of social networking has revolutionized communications. News about a crisis and your ability to adequately respond to it will be broadcasted from numerous sources through a variety of social networking tools. The way that you use these tools to get your message out and monitor what is being said about your organization should be addressed in your crisis management and business continuity plans. A poorly implemented and orchestrated corporate communications plan can undermine the efforts of your crisis response team.

Accounting For Employees

Another lesson to come out of 9/11 was the inability of companies to account for employees. Previously, most business continuity plans established congregation points where employees would gather and be accounted for. In Manhattan, the footprint of the tragedy was so large that it impacted the congregation points. The events of 9/11 proved that this technique is not practical for large-scale crises or locations where many companies occupy the same facilities.

Following the evacuation of downtown New York City and practically all of Manhattan, many employees returned to their homes and simply waited to be contacted by their company. As a result, many organizations eventually implemented a “reconnect process” whereby employees could call a central number — ideally a number supported outside of the targeted location — to account for themselves. Reconnect process or otherwise, it is important for organizations to have a process that all employees are familiar with.

In this June 16, 2011 picture, firefighter Richard Browne, with the Perrysburg, Ohio Fire Department, places his hand on a damaged New York Fire Department truck in Hangar 17 at John F. Kennedy International Airport in New York. The Port Authority of New York and New Jersey is preserving and storing artifacts from the September 11, 2001 attacks in the airport hangar. Browne toured the hangar while picking up a piece of 9/11 steel destined for a memorial in Wauseon, Ohio. (AP Photo/Mark Lennihan)

Who’s In Charge?

Another challenge that large, multi-divisional companies experienced was in trying to manage the crisis in a consistent manner. Many buildings near the World Trade Center were occupied by numerous companies or autonomous divisions of the same corporation. As a result, inconsistent decisions were made regarding whether to evacuate or stay in place.

In some cases, management made the decision to not only stay in place, but to continue to function as a normal work day. Employees became confused and concerned when others began evacuating.

There were also problems with employees being directed by an anonymous figure-head who claimed to be in charge. In times of crisis, people look for direction from those they know and trust — the day-to-day management that they are in the trenches with every day. When someone new starts shouting orders, employees look to their management — people they know — to confirm and validate these commands.

Wherever possible, companies’ crisis management framework should provide for corporate-wide response decisions to be communicated through the normal organizational structure.

Leadership Styles

Most senior level executives in a firm have achieved success because of their ability to perform long-term strategic planning. The most effective leadership style for these individuals is “participatory management,” where they solicit information from a wide group of resources, process the information and determine the proper course of action. This management style takes time and is effective for decisions that are not time-sensitive.

During times of crisis, the most effective leadership style is “command and control.” People look for someone in authority to make decisions for them, quickly and confidently, without having to form committees and perform studies on possible courses of action. Not all senior-level executives have the skills to lead under these conditions.

An article in the July edition of Continuity Insights (Turning Disaster Response On Its Head) discusses the advantages of a structured network over a top-down, command and control style of response. While the article makes many valid points, the thing we learned from 9/11 was not that command and control was ineffective, but rather that the command and control resources were not adequately prepared for or provisioned to effectively guide us through such a crisis. Improvements to an organization’s response can be achieved by being better prepared for a transition to command and control management — not by abandoning the strategy altogether.

The Mental Health Factor

Many organizations overlooked the potential impacts of stress, fear and other emotional contagion that are experienced during times of extreme crisis. For those that had internal employee assistance programs, the scope and breadth of the crisis quickly surpassed the ability of these programs to meet the resulting mental health demands.

Also, mental health problems were equally distributed amongst management and staff. People at all levels of an organization are susceptible to breaking under the pressures of such an unusual and traumatic event — even crisis management team members.

Succession Plans

Companies need to ensure they have complete and updated succession plans for all levels of management. After 9/11, many organizations’ leadership teams were either geographically separated without the means to communicate, victims of the mental health issues noted above or tragically killed in the event.

Business continuity planners need to identify all managerial positions that require immediate succession, maintain up-to-date succession plans and ensure that the identified next-in-command is adequately trained and prepared to assume that role if required. Failure to achieve this, in some cases, may have contributed to the short-comings in the command and control aspects of crisis management during 9/11.

External Single Points Of Failure

Many companies were lulled into a false sense of security because they utilized multiple communications vendors or had dual power and communications feeds into their building. However, many of these vendors used the same underground infrastructure or power lines.

In other words, companies may have done a good job of eliminating single points of failure (SPOFs) within the walls of their own building, but all they did was move the SPOF to some external entity.
Disaster recovery and business continuity planners should ensure that they are not promoting this same level of false security. Make sure you know where your SPOFs are and whether they are internal or external.

Program Assumptions, Scope & Scale

Prior to 9/11, most disaster recovery and business continuity plans were based on the assumption that, following a disaster, a company could function with about 20 to 25 percent of the work force and infrastructure relocated to an alternate site, and that it would eventually be able to move back into its production facility.

The events of 9/11 shattered those assumptions, and many plans based on this premise were virtually useless. Companies were scrambling to find temporary — and then permanent — real estate to house 100 percent of their surviving workforce and to recover 100 percent of their operational capacity.
Most companies take months or years to plan and execute a corporate move. Business continuity and disaster recovery programs are challenged to achieve that same result in a matter of days, and during times of stress, panic and confusion.

Ensure that your management team is well aware of how much and how little your plans address, what assumptions are being made and how much functionality can be recovered in short timeframes. If your plans do not match your management team’s expectations for a worse-case scenario, you may find your solutions to be inadequate in meeting their demands.

Perfect Practice

In the aftermath of 9/11, I spoke with numerous companies that were surprised by their limited recovery capability — even with years of testing and exercising. The problem was that they did not perform “perfect practice.”

One large financial services firm had been exercising successfully for years out of their alternate trading floor facility. At least twice a year they would set up operations in their alternate trading floor and actually conduct production operations from this facility. What they had failed to do, however, was to completely sever access to the production data center in the same building that housed the trading floor. So yes, the alternate trading site had all the desktop tools and phones to support a trading floor operation, but without connectivity back to the production office these devices were little more than paper weights.

This issue is closely tied to the SPOF issue discussed earlier. As contingency planners, we need to identify the SPOFs in alternate facilities as well as any resources and infrastructure shared with your production facilities. During recovery exercises, all connections back to infrastructure and technology in the home office must be severed.

Additionally, be aware of how much time and effort it takes to prepare for a recovery test. Many organizations that were testing for years before 9/11 were only successful with their tests because of special back-ups or special configurations they mirrored in the test preparation process. Of course, disaster events do not come with advanced warning and there is no time for pre-recovery preparations. Ensure that you can successfully recover with a moment’s notice — without relying on pre-recovery setups.

A Word Of Caution

Whenever I discuss lessons learned from the events of 9/11, I always like to add a word of caution. As tragic and devastating as it was, in terms of business continuity issues it could have been worse due to the nature of the event and the impact it had world-wide. There were few expectations that companies would be fully operational and responsive the next day. Organizations were afforded the luxury of time and understanding as they struggled to get back to normal operations.

The events that impact only your organization; that are not necessarily newsworthy; where your customers do not share the tragedy or hardship; where the expectation that you should be responsive to your customers’ demand for products and services remains — will challenge you above and beyond, and in different ways, than an event like 9/11. Think about potential crisis situations that could be limited to your organization — ones that may not impact your customers, vendors or competition.

Changed Forever

As I solemnly await the tenth anniversary of the tragic events of 9/11, my thoughts are with the loved ones I lost and the business associates that perished. As a crisis management, business continuity and disaster recovery professional, I remember that day as a turning point for how we conduct our business. I hope that the lessons we learned are not lost with the passing of time.

Joe Flach is the founder, CEO and Lead Consultant for Safe Harbor Consulting, LLC — a management consulting firm specializing in crisis management, business continuity and disaster recovery planning. Mr. Flach was living and working in shadows of the World Trade Center on September 11, 2001 and regularly speaks about the lessons learned from this event. You can contact Mr. Flach at
jflach@safeharborconsulting.biz.