Blindsided is the authoritative guide to crisis management. This "how to" handbook gives essential advice that every manager needs to know when a crisis hits. Written by CMI Founder/CEO Bruce Blythe, it's a fascinating, easy-to-read guide that draws on Blythe's 20+ years of experience as a pioneer in crisis management.

  One year after 9/11
      September 2002
      University Business, New York, New York
      By Tim Goral

One year after 9/11, colleges and universities are using the impetus to jump-start disaster response plans for ‘more likely’ scenarios.
By Tim Goral

In the days and weeks following the September 11 attacks on the World Trade Center and the Pentagon, there was no shortage of terrorist attack warning, bomb threats, anthrax scares, suspected air and water contamination, and cyber attacks. Colleges and universities that had previously prepared for little more than severe weather emergencies were suddenly confronted with endless “what if” scenarios. And, according to security specialist and university officials, it’s become apparent in the past 12 months that many school found their plans to respond to any kind of disaster lacking. “School officials believe more now that a tragedy can happen to them,” says Alan Brill, Senior Managing Director of the New York-based Kroll Information Security Group. “The disaster recovery plans that were originally put together because personnel were forced to draft them have taken on a new significance. After 9/11, senior management recognized that these disaster responses are not clasroom exercises, but are vital to the overall continuity of the college or university operation.”

The most surprising reaction, however, is that IHEs across the country do not see terrorism as a chief concern in disaster planing. Although it was the terrorist attacks that forced schools to take stock of their plans, the university officials interviewed for this article say that the biggest issues they face continue to be those that existed prior to 9/11: natural disasters, crime on campus, fire, and personnel security issues.

“Those are the things that continue to affect daily existence,” agrees James Francis, Senior VP of Security Services at Kroll. “A terrorist attack is far more likely on the Pentagon than on a small school in North Dakota.” He agrees that institutions should focus the bulk of their preparedness efforts on areas such as natural disaster planning, crime, or increased computer security.

Focusing on more likely threats

That’s the overriding philosophy at the University of California-Berkely, says Tom Klatt, Director of Emergency Planning and Communications for the UC Police Department. He admits that since 9/11, the school has added a number of security measures to reduce the likelihood of terrorism, but, he says, it has more aggressively pursued other-more imminent-security concerns. “September 11 may have been the wake-up call for some schools,” says Klatt, “but we’ve had active shooter scenarios, we’ve been targeted twice by the Unabomber, we have animal rights groups protesting the school’s animal testing programs, and we’ve seen vandalism to crops. We’ve had disruptions from a variety of sources.”

Recent security measures at Berkeley include a bomb-sniffing dog, the installation of traffic barriers to keep vehicles from driving or parking too near campus buildings, and cyber locks (electronic padlocks) that allow security personnel to track who enters an leaves each building. Another change: background check of current employees are now standard—regardless of tenure. The checks look for criminal convictions in the Department of Justice database, and are required of those employees issued high-level access keys or access to sensitive areas such as electrical substations, rooftop doors, or hazardous material facilities.

Kroll’s Francis notes: “Schools that have done a good job at tightening up because of 9/11 have seen a decrease in unwanted events that have plagues them for years.”

The cost of feeling secure

Today, with budget cuts and spending caps, an obvious question for administrators looking to boost security is, “How are we going to pay for it?” But, says Brill, “Not all solutions are costly; many are common sense.”

Klatt agrees: “Most of the measures we’ve put into place at Berkley are fairly cost-effective. There hasn’t been a large dollar outlay relative to our annual budget. Measures have largely involved redirecting existing staff time to new areas.” In June, for example, the school conducted a “Berkley Alert” simulation with a number of federal, state and local agencies, as well as area businesses and health facilities. “It was a major initiative for a number of agencies, but the out-of-pocket expenses for Berkeley was less than $15,000,” says Klatt. Costs for exercise included color brochure printing, T-shirts, refreshments for group meetings, plan production, a post-exercise luncheon, parking, venue rental, and a pre-exercise briefing trainer from Seattle.

“Overall, the direct expenses for this type of event are quite modest compared tot he time commitment from emergency planners and the exercise participants,” Klatt maintains. “Nearly 3,000 staff hours were invested by the five agencies. At an average of $50 an hour, that represents $150,000 in labor committed. That’ the ‘hidden’ cost. But, by changing our priorities, our budget wasn’t affected.”

Recovery Measures

According to Francis, when a school sets out to tackle the creation of disaster plans, officials need to ask themselves, “What is the prudent approach for our circumstances? What can we do now? What can we do over time? How can we pull our plan together with a more manageable financial impact?” As for an ordering of priorities, after first doing its best to provide for the safety of students and staff, an IHE’ chief mission should be to resume normal operations as quickly as possible, says Brill. Key components of that plan should include:

Be creative about backup. As computer networks become more complex, backup procedures have become less effective, says Brill. Very often, even when a server is backed up, key data such as financial or transcript information may not be stored with it. Brill recalls one research institute that suffered a localized disaster. “Unfortunately, many of the researchers did not trust the security of the central server and kept their research on their lab-level computers. Their work was lost as a result.”

A well-designed plan should include off-site redundancy. Companies such as IMB (www.ibm.com) and SunGuard (www.sunguard.com) have locations around the country that provide off-site backup. However, Brill says, it’s important to note that the order in which companies gain access to the facility is based on the order in which they declared their disaster. “Declaring a disaster has a cost associated with it,” he says. On 9/11, some organizations had people who were quick-witted enough to get on the phone and declare disaster. However, we know of some other firms where the people at various levels didn’t think they had the authority to declare disaster because that involved cost. When the call was finally made, those firms were pretty far down the list.”

Colleges and universities within the same geographic region might also set op mutual assistance plans, suggests Brill. “If your school is hit with a disaster, but the next closest school is not, perhaps they can offer some of their facilities to get you up and running.”

Public universities should also be talking to other public-sector organizations to see whether they can set up a mutual security plan. “If a state or local government has arranged for an off-site backup service, it’s possible that a public university can arrange to place one of its servers on that backup site, to have near real-time backup of their key management and financial files.”

Make sure the disaster plans can survive a disaster. “Many firms in the 9/11 tragedy had disaster and recovery plan, but because those plans contained confidential information, the companies made the mistake of storing them on the premises,” he says. “When their building was destroyed, those firms were at a loss.” One way to avoid a similar fate, he says, is to copy disaster plans to business-card-sized, password-protected CDs. “They can be carried in an administrator’s wallet or purse and, in a disaster, any computer can serve as your disaster recovery center. It’s an investment of about a dollar a copy.”

Convert crisis to process. Because disasters happen so infrequently, it’s not surprising that many plans are written with little or no disaster experience behind critical decisions. However, there are a number of firms with direct experience in security and disaster planning that can help schools put proactive plans in place that avoid costly mistakes and further damage (See “Planning Partners”).

Planning Partners: The following firms specialize in assessing security vulnerabilities and creating contingency plans.

Arup Risk Counseling
CAPS Business Recovery Services www.capsbrs.com
Crisis Management International www.cmiatl.com
Disaster Survival Planning Network www.disaster-survival.com
DRI International www.drii.org
Eagle Rock Alliance www.eaglerockalliance.com
EMC Corp. www.wmc.com
Exeter Group www.exeter.com
GE Disaster Recovery Services www.gedisasterrecovery.com
KPMG Rick Advisory Group www.kpmg.com
Kroll Information Security Group www.krollworldwide.com
Lakeview Technology www.lakeviewtech.com
Strategic Technology Group www.drthermos.com
Strohl Systems www.strohlsystems.com
SunGuard Planning Solutions
Virtual Corp. www.virtual-corp.net
Vistastor Corp. www.vistastor.com

“Often, when a company or school is recovering from a disaster, its problems are not unique,” says Brill. “For example, if your hard drive crashes, or if a disk with stored data is corrupted by an outside attack, the data can often be recovered. If you have a prior arrangement with a data recovery service, you can quickly convert that crisis to a planned, practiced process.”

Many plans assume that key people will be where they are most needed at a specific time. That’s not realistic, says Francis. “You need to have alternatives. What would you do, for example, if you Unix expert couldn’t get onsite because of a road closing? Fortunately, many systems these days can be operated remotely—but that has to be part of your plan, and you have to be set up to do that. Firms in the World Trade Center that had remote mirroring capabilities were generally able to be up and running within 24 to 48 hours.

Testing, Testing

Even the best plan will have hidden weaknesses, but it’s important to expose them with disaster drill before crisis occurs, sys Alan Brill at Kroll Information Security Group. “We like to take a school’s planning book and run through each step. The drill can be as simple as a tabletop exercise where various scenarios are discussed, or it might be more complex, such as a computer simulation, or a simulation with physical components such as having an actual rescue team respond to the site.” IT departments can also test their preparedness by simulating a massive power failure, or a scenario in which a tornado has taken out the data center.

A typical drill starts with a scenario, such as an explosion or natural disaster. Participants are then asked to respond to various situations, such as “Who would you contact?” “What if the phone lines are down?” “What would you do it there are injuries?” “Where would you get the supplies?” “Where would you get the extra manpower? “Your network is down; even if you have backup tape, where are you going to use them?” “Can you operate from a remote location?” “Are you set up to do that?”

Brill says catching people off-guard is an effective way to test their readiness in a crisis. “My favorite drill begins by grabbing the Number Three person as he comes in the door on a given morning. Then we take the individual to a conference room and say ‘It’s six in the morning. A tornado has taken out the data center and the two people senior to you were there at the time—there is no data center. You are now in charge; what are you going to do?”

How that person responds to the scenario determines the next phase of the test, Brill says. If he reasons that he’d still be at home and would have the disaster plan nearby, he’s given a copy of the plan, and proceeds from there. But if the plan isn’t even mentioned, he is left to fend for himself.

Such exercises emphasize the important of planning—and expose weaknesses such as not familiarizing a string of key people with the existence and the whereabouts of the plan, says Brill. “What school officials learn through these exercises is what resources they will need to get back in operation quickly, and where they will get those resources. They learn what they have to do now, and what they don’t have to do now.” Most importantly, notes Brill, “They discover what they can do to make a real difference.”

Communication

Reestablish communication after a disaster is paramount in any emergency management plan, but those systems must first be designed with critical emergency functionality: How will the school’s communications system help it account for the safety of students and staff during a crisis? How will the core crisis team member communicate with one another in the midst of a crisis? How will the school quickly disseminate information—internally and externally—about what is going on?

At Pace University –blocks away form the World Trade Center—the breakdown of communications turned out to be critical. Hours after the Trade Center collapsed an adjacent building, housing one of the largest telephone switching stations in the country, also collapsed, leaving Pace without phones or Internet access. Although administrators had begun efforts to trace the whereabouts of students, they suddenly found themselves helpless. “The frustration of not being able to communicate over the next few days was terrible,” recalls Provost Marilyn Jaffe-Ruiz.

Earlier, Pace administrators had sent a broadcast e-mail asking students to contact the school promptly to verify their safety, but event hat backfired. School officials were sobered to discover that only about 30 percent of the e-mail addresses on file were valid. Furthermore, many students preferred using America Online, Hotmail, or a commercial account, and rarely even used the school’s e-mail system.

Mass panic compounded the school’s communications problems. After the towers were hit, hundreds of students raced from the main campus to join the crowds fleeing on foot across the Brooklyn Bridge. “And because if was still so early in the semester, we didn’t have a clean list of who was supposed to be in the dorms or not.” Ruiz says.

Ultimately, a makeshift listserve started via America Online by two out-of-city Pace professors accounted for more than 1,000 students over the next few days. Since then, Pace has maintained an Internet bulletin board via Yahoo, and has developed a “telephone tree” system to spread news in an emergency.

The greatest vulnerability

Today, with the specter of 9/11 permanently etched in the minds of so many students and parents, how a college or university prepares itself for unexpected events of all kinds is a key component in its ability to attract and maintain students.

“One of the things we were concerned about was that people would be afraid to come back,” says Pace’s Dean for Students, Marijo Russell-O’Grady. Given its extreme circumstances, the school did everything it could to help students complete their studies, she says; Pace decided not to penalize students who just couldn’t return to school. The university also tries to reassure students and parents who are concerned about safety issues, but it chooses to view the 9/11 event as an anomaly.

“Enrollment number for the fall semester show a slight overall increase over last fall,” says Pace President David Caputo. “I believe those who return know that the University has done its best to provide a safe and secure environment. We did so before September 11, and we continue to make significant improvements.”

The school even conducted a survey of current students in spring 2002 to gauge whether the terrorist attacks had affected their willingness to continue with their studies at Pace. Of the 235 respondents (out of the 3,400 class members), 66 percent said that they did not have more negative feelings about living or working in New York City; 38 percent said they had become more interested in public service; and 42 percent said they now feel more tolerant toward other races, nationalities, and religions.

After security has been compromised, it’s important to find out what the students and parents feel, and to assuage their concerns, says Francis. “I think a school’s greatest vulnerability is in the perception of the student body. If students perceive that a school is lackadaisical in its security and safety measures, it will impact the school’s ability to lure students. Families of prospective students what to know what is going on at the school as well. How a school manages its plans to respond during a crisis is now a key part of the decision process when a student is choosing a school.

Site Index -------------------- Home -------------------- About us   Our people & network   Joining our network   Scenarios -------------------- Services   Planning    Crisis management planning    Foreseeable risk analysis   Training    Crisis mgt for leadership    Crisis mgt for human resources    Family representative training    Hostility management    Threat response team training    Workplace violence prevention   Validation    Simulations   Response    Crisis response intervention    Threat of violence response -------------------- News   News & articles    Articles from 2008    Articles from 2007    Articles from 2006    Articles from 2005    Articles from 2004    Articles from 2003    Articles from 2002    Articles from 2001    Articles from 2000 and earlier   For the press   Book excerpt & ordering -------------------- Contact us   Feedback