Annie Searle was the senior vice president for Washington Mutual Bank’s Enterprise Risk Services and chair of its Crisis Management Team for 10 years. She has spent countless hours with corporate CEOs on business continuity in her senior leadership roles. Now a consultant, Searle shared her thoughts about cyber-terrorism, pandemic planning, social media and how best to influence senior decision-makers to support your emergency management program.
When you were responsible for a major corporation’s business continuity program, what areas did you emphasize?
At Washington Mutual we created a federated program, with the lines of business all having representation and responsibility, and with my team having overall program leadership and oversight. No program works if it consists only of lip service from the top of the company only.
You have an information technology background. How do you gauge the current cyber-threat to governments and the private sector?
I just finishing Richard Clarke’s [formerly the special adviser to President George W. Bush on cyber-security] new book, Cyber War, which is chilling. And I’ve joined a task force on cyber-threats created after the New York University International Public-Private Sector Preparedness Summit. From discussions at the summit with both civilian and military leaders, it’s clear the threats span both sectors.
Did the World Health Organization (WHO) overreact to the H1N1 pandemic flu event?
Given the manner in which the threat levels had been set up, WHO had no choice but to make the declaration it did. I believe that those threat levels are being reviewed at this time.
Did the preventative actions taken by public health organizations and others work or was the virus just not as potent as it could have been?
The virus was not H5N1, the avian flu virus, upon which many companies plans had been built. I think from that we learned that our plans need to be simpler, more modular and flexible so that they might be used on any disaster that spans a longer period of time. At the same time, I think the federal government did a good job of taking the lead and organizing a range of public information, including distribution via social media for the first time. Our public health departments also had a chance to see just how rusty an infrastructure they were working with.
What three lessons learned did you take away from the last pandemic?
To write plans for events and outages (short term) and then to also have longer-term plans ready for disasters that might keep employees out of the workplace for longer periods of time, including large earthquakes, hurricanes and floods, bio-events like pandemic or anthrax attack. To extend the boundaries now and include tools like Twitter and Facebook in local emergency management plans. And to focus now to design strong, clear communications protocols via both a back channel and in traditional media updates.
With your international travel you have gotten a chance to see other nation’s emergency management programs. How does the United States system of emergency management stack up against other countries you’ve visited?
What we have on paper from the U.S. Department of Homeland Security and FEMA looks better than anything else I’ve seen. Of course it is only on paper until it is tested.
What are some of the common mistakes that you see companies making as it pertains to their business continuity program?
A recurring problem is that plans are too complex to be used. Programs are viewed by senior managers as “jumping through audit hoops” rather than as enabling lives to be saved and operations to be maintained.
How important are critical infrastructure interdependencies to businesses and their ability to continue to function during and after a disaster?
This is at the heart of the work I do now: helping companies sort out how they are dependent upon other companies, suppliers, vendors and agencies to maintain operations. Even though 90 percent of critical infrastructure is in the hands of the private sector, we have not made linkages to either one another or to government agencies that are sufficient to survive, such as a major earthquake, without real gaps in our response.
What arguments have you used successfully to garner support from business executives for business continuity programs?
I tend not to rely on the regulatory or audit requirement for such programs. The main argument is that a good business continuity program identifies critical business processes and procedures that the business lines would not otherwise have at their fingertips. Such information is essential to the business for any streamlining or optimization of business processes that is part of corporate growth. It’s an essential corporate tool as well as a means to maintain continuity of operations.