WORLD TRADE CENTER LESSONS: RISK MANAGEMENT LESSONS FROM THE WORLD TRADE CENTER

doi:10.1016/S0267-3649(02)03012-1

Computer Law & Security Review

Volume 18, Issue 2, 31 March 2002, Pages 117-119

https://doi.org/10.1016/S0267-3649(02)03012-1 Get rights and content

Abstract

There are many who believe that the events of 11 September 2001 have changed the world forever. The complexity of the data that has emerged, and that will emerge, as more studies are undertaken, is almost overwhelming. The tragic catastrophe that befell America was far, far greater than the beat of a butterfly’s wing, but there cannot have been a more extreme example of the chaos theory — the myriad of consequences that have stemmed from a single event and touched so many things, affecting the lives of virtually everyone on the planet.

Section snippets

Contingency planning lessons

There have already been several reports on the contingency planning mistakes made by affected organizations — not only those in the Trade Center (WTC), but also those in the immediate vicinity and those that lost business continuity as a result of the much wider infrastructure failures. The reports draw on interviews with the organizations concerned, feedback from user-group meetings and studies by consultants involved in the recovery process.¹

THE PEOPLE DIMENSION

Prior to 11 September, one of the unspoken assumptions behind many recovery plans was that all that would be lost was access to critical business premises or functions, and that the employees would be both physically and mentally unharmed. The fallacies surrounding this assumption had already been exposed in countless disasters, but, possibly because of the seemingly impossible task of compensating for significant injury or trauma, most plans paid, at best, lip-service to the issue. The

REPUTATION RISK MANAGEMENT

Organizations that are in the centre of an incident of considerable public attention, such as the WTC attacks, may well find that their every move is carried out in the glare of media attention. This applies not only to the immediate aftermath of the incident, but also to the handling of moral issues such as compensation for employees or their dependents, or severance terms for employees made redundant because operations have to be terminated.

This issue has already emerged with WTC where, over

RISK IDENTIFICATION — MOVING OUT OF YOUR COMFORT ZONE

That which has not been identified cannot be managed. Therefore, the starting point of any risk management exercise is risk identification. Whether an attack of this nature, or the loss of both towers, could or should have been anticipated is an incident-specific argument that may well continue for years. However, the real risk management challenge is the extent to which the possibility of the unthinkable should force organizations outside the comfort zone of the risks with which they are most

MERELY IDENTIFYING RISKS IS NOT ENOUGH

Much evidence is emerging of the significant inaction at a state level to respond to known terrorist risks³. James Woolsey, a former director of Central Intelligence, has said that the 11 September attack, “was a systematic failure of the way this country protects itself”. He amplified this, saying, “It’s aviation security delegated to the airlines, who did a lousy job. It’s a fighter

References (0)

Cited by (1)

Designing information system risk management framework based on the past major failures in the Japanese financial industry
2008, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

View full text