This bulletin was written before the Egypt air crash and may be the subject of next week’s bulletin. Our thoughts are with the families of the victims.
This week Charlie looks at kidnap as a business continuity threat after his recent travels.
Last week I was in Monterrey in Mexico, and as it was my first time in Mexico, apart from going there for breakfast from Belize, I thought I should focus this week’s bulletin on what I learned from the trip. I did lots of work whilst there which included working on a business continuity app, planning a business continuity trip for later in the summer and delivering a crisis management course based on BS11200, the crisis management standard.
Monterrey, a few years ago, was plagued by extreme drug gang violence including a spate of kidnapping, but these days it is not so prevalent. I was a little nervous about the trip but travelling around the city seemed very benign. Towards the end of the trip a colleague informed me that two federal agents had been killed just 300 yards from our hotel and that on the Monday evening we had actually seen the police cars going to the scene of the crime. This made me a little nervous again!
The relevance to business continuity is a little tenuous but the episode did get me thinking about kidnapping, especially when I walked back from the office, and on returning safely back to the hotel, started to think about whether kidnapping was a business continuity incident. In terms of staff loss, one member of staff, however senior, shouldn’t be a business continuity incident. If you have done your threat assessment properly you should have identified any people who are single points of failure.
I think this can become a business continuity incident from two angles. Firstly, if it is the CEO of the company or a very senior manager the organisation can go into paralysis. This is especially true if the company is perhaps family owned, is very hierarchical or has a very strong or charismatic CEO. Secondly, the organisation may need to manage the incident using their crisis management structure. During a kidnap there will be multiple organisations involved, there will be key interested parties to manage such as the family of the victim and there will be media to contend with. Even if the kidnap is managed covertly there will still be a number of stakeholders to manage. There will be difficult decisions to make and when the kidnap is hopefully resolved, there will be court cases and investigations which will require evidence from those who managed and made decisions during the event.
Often organisations, especially those who send people to ‘at risk’ countries, have kidnap insurance but one of the requirements of the insurance is that the knowledge of the existence of the insurance is known to very few people. As part of the insurance you get a kidnap specialist who is skilled in negotiating back the victim. The insurance company will not pay the ransom it is up to your organisations to pay it.
As the business continuity manager, I believe, you need to know of the existence of the insurance so you can build this into your plans and be aware that there will be additional personnel helping in the incident management of the kidnap. If possible the plan should be exercised especially the decision making element so that your senior managers are aware of the decisions they may need to make. Will they pay the ransom out of company funds and what are the legal implications of doing this? This is an example of just one of the many difficult decisions they may have to make.
So yet another threat to consider is kidnap. If, for your organisation this is a threat, then you need to ask whether there are plans and insurances in place, see how they fit with your existing incident management plans, and if there are none, work with senior managers to develop and exercise a plan!