Mr. Geddes was surprised at how many phone calls his company received after Sept. 11 from risk managers and potential clients with no continuity plans in place.

Control Risks Group, an international security consulting and investigative firm, had a similar revelation.

William Daly, senior vice president for Control Risks in New York City, said some companies that approached Control Risks after Sept. 11–including large international and multinational companies–were surprisingly deficient in the area of crisis management and contingency planning.

Without a contingency plan, companies might not be able to have a quick recovery after a crisis, he warned. “They need to be able to quickly move their business, relocate key components of the business, and be able tocommunicate to their employees and to their clients,” he said.

The ability to manage a crisis with sound contingency plans “has been surprisingly absent in some of the large companies,” he said, noting, however, that these companies were stronger in the area of back-up and recovery of technical systems.

Mr. Daly said some organizations have ad hoc arrangements for contingency planning, and other companies set up contingency plans years ago, but have never updated them.

Other companies feel as though they can “just take care of a crisis as it occurs without making any formal arrangements ahead of time,” Mr. Daly said.

Mr. Geddes at ICP emphasized it is imperative that companies proactively set up contingency plans for disaster recovery because these vulnerabilities pose a very real threat to the balance sheet.

“Contingency planning should be part of the business structure, and it should be included in corporate planning, strategy and deployment of assets,” he said.

John Eltham, business unit leader for special risks at Miller Insurance Group, a London-based broker, said that certain risks cant be protected by the insurance industry, but can be managed by contingency planning. He pointed to the example of bio-terrorism, which is currently an uninsurable risk.

“If youve got a contingency plan in place and you know what measures to take, because youve thought it through, you can actually manage the risk rather than just saying, What do we do now?” he said.

Mr. Geddes said, “Security in its generic sense is something that no one wants to think about.” He noted that its harder to see the tangible benefits and the direct financial return of security measures and contingency plans.

“It's something that is relatively intangible, because it's difficult to say, if you dont do this, this and this, it could potentially amount to hundreds of thousands or tens of millions in damage to your company,” he said. “But if you dont have a contingency plan and you then implement one post-incident, you can see how relevant and how expensive a disaster or a crisis can be to a company.”

Mr. Daly was encouraged by the fact that many contingency planning initiatives appear to be driven by CEOs and chairmen, which makes it “a very easy sell [for risk managers], not just for the financial implications of putting in increased security, but also for getting employees to buy-in and realize that [security] is one of their corporate standards.”

Having senior management involved “creates the sense that it is important and everybody else follows suit,” he added.

Mr. Daly said this is a big change from years past when crisis plans received a lukewarm reception from senior management because they didnt realize how dramatically a crisis could affect a company. The concept was “more conceptual, rather than real-world,” he said. “Now theyve seen it in the real world.”

The interest of top management in contingency planning does not negate the continuing importance of risk managers to the process, Mr. Daly said.

“We think its empowered the risk managers and people who have responsibility for security and safety in the organizations,” he explained. “This kind of top-down approach were seeing now makes the jobs of people such as the risk managers a little easier.”

Mr. Geddes said the biggest roadblock to actually addressing the issue of crisis management and business continuity planning is the perception that costs will be prohibitive.

“But they have to consider how much would it cost the company to lose trade for one day, or one week, or potentially even one month,” he said. “The costs dont have to be prohibitive. The contingency plan developed will equate to the size of the company that needs it.”

Mr. Geddes expressed concern that the momentum for contingency planning might drop off and people again will become lax about security.

“[Terrorism] is a threat thats going to continue, albeit in different forms,” he said. “The important thing to remember is the fact that it wont necessarily be you and your organization that may be the direct target, but you could be affected collaterally.”

Mr. Geddes pointed to the fact that much more than the World Trade Center buildings were affected as a result of the Sept. 11 terrorist attack. “The whole surrounding area was completely decimated,” he said. “The Woolworth Tower was evacuated, as were a number of offices for a good five blocks.”

Even organizations that werent directly hit were unable to access their buildings because of security and clean-up operations, he said.

Mr. Daly also emphasized that a crisis doesnt have to be the result of a terrorist act or a natural disaster. “It could be something else that affects the company, such as a kidnap and ransom situation, or an incident that might affect the companys brand name or their position in their business sector,” he said.

Reproduced from National Underwriter Property & Casualty/Risk & Benefits Management Edition, April 15, 2002. Copyright 2002 by The National Underwriter Company in the serial publication. All rights reserved.Copyright in this article as an independent work may be held by the author.