Your browser version is outdated. We recommend that you update your browser to the latest version.

Damned if you do, damned if you don’t: Preparing businesses for extreme events

From: NZ Security, June 2015

Auckland University academic Dr Bridgette Sullivan-Taylor has been in the news a bit lately. In a recent New Zealand Herald opinion piece, she suggested that the day might soon come when terrorism threat levels result in New Zealanders being subjected to bag searches upon entry to shopping malls.

The piece elicited outcry from readers who baulked at the idea that malls should be checking shoppers’ bags. Ironically, however, Sullivan-Taylor was not suggesting malls conduct checks but rather that businesses need to be taking the threat of unlikely ‘extreme events’ more seriously rather than just planning for them under the assumption that they are too hard to predict and prevent.

It’s about, argues Dr Sullivan-Taylor, strategic decision making – how do you as a company decide what risks you will prepare for, and how do you build resilience no matter what the crisis is?

Taking terrorism out of the ‘too hard basket’

In research she started at the Aston and Warwick Business Schools and funded by the UK Cabinet Office, Sullivan-Taylor found that companies in the UK tend to act either defensively in the sense that “we’ve tried to mitigate the risks as much as possible, practical and affordable”, or fatalistically in the sense that “well if it’s going to happen it’s going to happen and there’s nothing we can do about it. If we have an extreme event, particularly terrorism, we’ll just have to take the hit. It’s just too hard to predict and too hard to prevent.”

After 9/11, companies in the UK still felt that terrorist attacks of that kind were an offshore scenario and that they wouldn’t happen on home soil. If it did happen, says Sullivan-Taylor, “then they would respond with the very British bulldog spirit ‘keep calm and carry on’.” This was a concern to the government because 80% of the public critical infrastructure in the UK is privately owned. So there were big questions around how prepared utility companies were and their level of investment into this.

Private ownership versus public good

Sullivan-Taylor was keen to know whether tourism-related companies in London, such as airlines, airports, convention centres and catering companies, saw themselves as being in a critical public infrastructure supply chain. “Companies may see themselves as being in the hotel or convention centre sector but not necessarily as part of something that’s joined up like tourism or something else; but government needs them to see things in this way for safety and security across the whole city.

There is still this expectation among companies, she says, that the government will step in and sort it out and so they don’t always prepare beyond a certain point. The Pitt Review, which followed the 2007 flooding disaster in the UK, found that the scale and damage was so massive that it was beyond the capability of government to cover it. The review resulted in companies being made aware that the government will only help so far. Investing for preparedness, she observes, tends to have to be driven from outside the firm, not inside. “It tends to have to come as a push factor, especially with SMEs.”

In terms of SME thinking, activities such as counter-terrorism, emergency management and recovery are seen as something of a public good. Businesses tend to have an expectation that they can outsource responsibility for these things to government and that taxes should be put towards protecting them against even the most unlikely of exigencies.

How can companies become more resilient?

“Business Continuity Managers, Risk Managers, and Security Managers in the UK don’t usually sit on the company board,” says Sullivan-Taylor, and her assumption is that it’s the same here. “The frustration is that they do all the analysis and then they have to pass it to someone at board level, and normally the decisions are based on a financial rationale.”

“The problem with this,” she says, “is that it’s so hard to predict the scale and impact of some of these extreme events that the financial people just don’t want to go near it.” So decisions are made in the boardroom to the effect that the risk has been looked at but not further considered. “Every board has a financial director, and there is wide awareness of what they do, but this is not the case when it comes to security.”

But resilience is not something you can really test until it happens, Sullivan- Taylor points out. “Think about Y2K – billions invested but nothing happened... the issue has a taint.” You can either be underprepared or overprepared. “If you’re overprepared,” she says, “shareholders will criticise you for over investing in something you didn’t need to worry about. If you under-prepare, you’re likely to be sacked. You’re damned if you do and damned if you don’t.”

“It’s an endlessly frustrating position to be in unless you have legislation supporting you, or unless insurance companies are influencing businesses to invest in these things, or if reputation or fear or standards are driving it.” She sees it imperative that standards are regarded as the absolute minimum, and that in the context of terrorist threat companies would do more than just the minimum.

There is also the issue of increased regulation leading to the establishment of an audit culture that fails to achieve the cultural change needed to support it. Additionally, “If companies in regulated sectors are doing the bare minimum,” asks Sullivan-Taylor, “then what are companies in unregulated sectors doing?”

How do you make business continuity management ‘business as usual’? People won’t do something they see as wholly hypothetical and a waste of their time; employees won’t leave their screens... call it ‘fire drill syndrome’. “SMEs don’t want to invest in training generally or in anything that’s non-core, and this is something that I’d like to investigate. It’s a real worry.”

Weak links

Echoing her NZ Herald opinion piece, the academic states that “one of the weak links in the chain could be one of those little cafes that sit in train stations or airports, such as Starbucks.” In the case of the Lindt Café in Sydney, she points out, this was a café right opposite a piece of critical national infrastructure, Channel Seven... so being prepared means being aware of the surroundings.

“You could easily be the weak link in the chain, and big corporates need to think about who is in their geographic space, because when you think about Britomart Station or the Beehive, you might be secure but right next to you a little kebab shop could be a weak link.”

Resources for proactive SMEs

In the UK they have the National Risk Register, says Sullivan-Taylor. “Wherever you are in the country you can go online and look at what the risks are in your area.” Users can see at any time what’s going on in a particular locality, and it’s free. As a result of the Pitt Review, resilience forums have also been set up for each local government area in the country.

“You have to be proactive about finding out about these things”, she suggests. “The NZ Civil Defence website, for example, has the Breakout service where you can get messages and facebook updates. You need to link into these things.”

Rural factor

The UK, she observes, is characterized by a huge London-centric security bias. “Even within London”, she says, “Canary Wharf is like the centre of the universe,” and she thinks the case may be similar here.

Interestingly, she notes that London- based convention centres reported that the biggest threat to them wasn’t terrorism, but foot and mouth. When the disease hit the UK it massively impacted on the tourism industry because not only did people stop coming in from other countries but there was also a halt on domestic movement. “That could happen here,” she opines, “being an agricultural country, that type of biohazard is high on the radar, and if authorities undertake major changes in response, people will respect it.”

“So at the airport where they have that double security of your bags and have dogs all over you, people will put up with it no question.” Returning to the shopping mall example, if it was a biohazard thing, then you wouldn’t be allowed in with dirty shoes. “You’d have to take them off and there’d be no question.” But, says Dr Sullivan-Taylor, “It takes an extreme event for it to happen.”

Good risk management and business continuity practices Being prepared, says Sullivan-Taylor, means being prepared in the light of extremes, not just business as usual. “There is a lack of regard for things that occur at the extremities... their extreme nature and the unintended consequences.”

Secondly, it means thinking beyond your organisation. “Your orgnisation has an impact in its geographical area,” she says, “and New Zealand has a lack of joined up formalised public private partnerships.” Big corporates are more likely to be doing this, but it’s more about getting SMEs involved. “If you’re part of the wider community in a CBD or a global supply chain, you don’t want to be the one that lets that whole thing down.”

In a general sense, she makes the observation that national security rhetoric tends to be informed by the political sciences and international relations fields, “where they talk about radicalisation and defence stuff, border and heavy serious policy.” But given that 80% of national critical infrastructure is privately owned, she argues that there should be much more input from business disciplines.

If you are interested in participating in Dr Sullivan-Taylor’s research to identify SME best practice between regions and sectors in New Zealand in relation to extreme events, please contact her at Auckland University or Email:

Back to Features

Dr Bridgette Sullivan-Taylor: Preparing business for terrorist and other extreme events.

Follow us


Contact us

Phone: 022 366 3691


© 2015. Defsec Media Limited. All Rights Reserved.






Line of Defence     

Fire NZ     

NZ Security