The G20 poses challenges for local businesses; it will test their readiness for a range of credible scenarios, whether those exact scenarios were predicted or not. Information will be scarce until very close to the event for security reasons, meaning that businesses must plan for the worst and hope for the best, so that they can react to the final plans with confidence, flexibility and the assuredness that their businesses will continue to operate during a potentially disruptive period in Pittsburgh’s Central Business District.
Unfortunately, at Densus our research shows that managers with G-20 exposure are too keen to ask questions about how businesses may be inconvenienced, and not about the actual risks and how to manage them effectively. As professional risk managers, we, the risk management community, seek to clarify and present solutions based on analysis and experience. We believe that risk management is about understanding the most credible scenarios, and managing the likely outcomes if, unfortunately, things going awry.
Businesses should embrace this event as an opportunity to test their business continuity planning. BC plans should be flexible enough to address effects as much as to try to combat causes. The effects of the central bus station being closed should already be a part of management and business continuity plans because snow often has the same effect. The effect of the city’s public schools being cancelled, affecting business leaders and staff members who are also parents should already be included in planning, as school closings are a normal activity.
Whether businesses see the G20 as welcome or not, it does present an opportunity to revise and test business continuity plans. When information does become available, the business is ready for the worst case scenario and down-grade its planned response, rather than being forced to plan for difficult circumstances on the fly.
The language surrounding the G20 in Pittsburgh focuses on “disruptions” and ”inconveniences.” Disruption, like beauty, is in the eye of the beholder. The inability to get vehicles inside a security cordon may be one person’s disruption but a business owner’s critical effect on the business. I am not stating as fact that there will be critical interruption to any business, but as a professional risk manager with an absence of definitive information in Pittsburgh at the moment, I would certainly be planning for the eventuality, considering likelihood to be mostly proportional to proximity to the Convention Centre and the Omni William Penn Hotel, where the President and British Prime Minster will be staying.
Two groups will affect business in Pittsburgh during the period September 19-25: the authorities and the protestors. Note that while the G-20 is September 24-25, ”camps” in the area begin to be formally occupied by September 19th, protest action is set to begin on September 20th, and security measures around the meeting locations are likely to begin in earnest by September 23rd.
The authorities will seek to maintain security, and protestors will seek to get their message across, some peacefully, some using direct action, some using violence. These groups can be easily described separately in abstract, but are not likely to be so easily distinguished on the streets, raising challenges for building and office security, particularly for bank branches and other potential targets.
Four major local businesses have been singled out as ”sponsors” by anarchists – they must work on the principle that they are the headline targets for direct action. A list will be issued, probably in the form of a map for “out of towners,” identifying 100 businesses; these businesses must assume that they are the secondary targets for anarchist attention.
“The protestors in London were Europeans, they won’t travel to Pittsburgh, and it won’t be an issue” is a sentiment often repeated in Pittsburgh-based blogs, forums and conversations. Whether the G20 attracts the numbers that London did or not is irrelevant; for protestor actions of a direct action or violent nature it only needs to attract a critical mass. The largest protest in London contained 35,000 people; this protest was self-policed by the TUC and passed off peacefully. There were only 3,000 people at the protest in London that turned violent, and the St. Paul police “lost control of the city centre” (their exact words) to only 200 anarchists. So the question isn’t whether 35,000 people will be in Pittsburgh, but whether there will be 200 or more anarchists dedicated to violence. In my mind there is no question – risk managers must be planning for the event, because it could happen, and as a risk management issue it must be addressed.
Threats to businesses that risk managers must be considering and planning for are listed below. This list is by no means exhaustive, nor is it a definitive list of threats that I consider high probability. However, each is possible, and so risk managers must be planning for these events and their effects on the business:
Office Occupation or Raids. Recently executed in DC by the National Peoples Action on March 23rd, 2009, an office occupation may simply entail the occupation of public spaces in the foyer or include an attempt to bypass security and penetrate into the working spaces of the target company. If the latter is successful, the target organisation will be severely affected as will the well-being of employees, visitors and contractors on-site. Such an event will traumatise staff, disrupt business operations and is likely to cause physical damage, thereby affecting the ability of the organisation to do its business. Based on information available to Densus this could include up to 100 Pittsburgh based businesses or business locations.
Denial of Access to Places of Business. Denial of access may have a disruptive effect on business operations. The denial of access may be into the physical offices, or simply getting into downtown. This may be the result of:
• Protests that prevent access into the offices,
• The authorities placing areas containing offices and businesses out of bounds,
• Deliberate blocking and disruption of key routes and bridges; the Pittsburgh Organizing Group demonstrated real talent for this when they conducted two of the most successful road blocks at the RNC in St Paul.
• Bus routes and other transport not being able to deliver staff to the office area.
Staff Impairment/Injury. One of the most serious concerns about protest action is the likelihood of injury to staff or customers. This can be the result of:
• Staff getting caught up in protestor action and injured or swept up in mass arrests (if the authorities choose to use this tactic).
• Staff protesting and getting arrested as part of mass arrests (for those companies with policies covering conduct, particularly security clearances, this must be a concern).
Targeting of Management. Although the targeting of executives has traditionally been a more European tactic protests at the houses of AIG executives disproves the assertion that ”it could never happen here.” It is not outside the bounds of possibility that individuals may be being targeted for direct action in Pittsburgh. Protests or direct action at homes, clubs and other venues are threats that should be considered and planned for.
Physical Damage to Infrastructure. Physical damage to infrastructure focuses on physical damage caused by protestors; the breaking of glass, setting fires, graffiti. However, more serious threats infrastructure threats do exist; in particular a terrorist act that is successful in detonating a bomb downtown could have serious effects on building structures. This is not likely, but the possibility exists; if it did not, there would be no access restrictions around key buildings and there would be no flight restrictions over Pittsburgh during the Summit.
Disruption to Power Supplies. At the G8 Summit in L’Aquila last month Greenpeace led the occupation of three coal fired power stations near the G-8 Summit and one hundreds of miles away ‘in sympathy’. There are three coal fired power stations near Pittsburgh. Management of the national power grid is not my specialty, but for businesses where even a five second discontinuation of power may affect business processes, discontinuation of power must be a planning consideration.
Risk management is about understanding the potential effects and managing for them through pre-emptive planning and measures, and measures in place if threats do realise.
At this point businesses should be planning for:
• Not being able to freely access their place of business for the period September 20-25.
• They have logistical systems downtown that cannot be used, such as transport, suppliers and food and beverage shops.
• Key staff cannot get to their primary place of work.
• Information is lost at the main location because of office invasion or disruption.
Given the range of potential threats, businesses should be considering alternatives to utilising their place of business where that is possible. These include:
• Working from home.
• Working from alternate locations.
• Leave and holidays.
• Reallocation of working days.
I write this blog not to be alarmist, but to remind that while hope and optimism rightly have their place, it is anticipation and analysis that are the hallmark of the professional risk manager; risks must be fully understood before they can be effectively assessed for effects and likelihoods, and for pre-emptive and post-event plans to manage those risks written and put in place.
Risk management and business continuity in the context of a G-20 has idiosyncratic risks and management methodologies. With less than 45 days to go until there is a critical mass of those willing to use extreme methods, it is beholden on risk managers to understand that in addition to the scenarios being briefed by local authorities there are other, realistic, scenarios that should be addressed. These scenarios must be understood, prepared for and, if they materialise, managed in an effective manner that minimises their impact.
For more details, the Densus Group’s Demonstration Report and Threat Analysis is published on a bi-weekly basis; a special G-20 Annex is also being produced. The DRTA, and other documents briefing on the risks to businesses and to Pittsburgh during the G-20 are available to select recipients. Membership of the distribution list can be arranged by contacting DemonstratorThreat@densusgroup.com.