When disaster strikes, survival is often earned by those who have planned ahead. For businesses, this means developing contingency plans for worst-case scenarios associated with their operating environments, which can differ depending on locale: in Los Angeles there is the threat of earthquakes, while in Taiwan they face typhoons. In Lebanon the most sizable systemic risk is, perhaps, war.
The Israeli onslaught in the summer of 2006, which killed more than 1,200 Lebanese and wrought some $3.6 billion in damage, served notice that major violent confrontations can, and do, erupt without prior notice. With tensions escalating recently between the region’s belligerents — particularly Israel and Iran — the threat of renewed conflict is real, and a fact that every responsible business should take into consideration. Banque du Liban (BDL), Lebanon’s central bank, recognized this as far back as August 2009 when it sought to reinforce disaster preparedness by issuing “Basic Decision No. 10227,” which stated that “all banks operating in Lebanon must prepare a business continuity plan” within the year.
The document goes on to say that every business continuity plan must include “preventative and prudential” detection, rescue and business resumption procedures. BDL outlined 12 principles for creating a compliant plan. The first four can be classified as threat and resource identification; the next set of steps relates to preparation and the final two steps are testing the plan and then continuously updating it as necessary.
As a case study, Executive spoke to two Lebanese banks to learn about their experience during the 2006 bombardment and how they have since adapted their contingency plans. Both Byblos Bank and Bank of Beirut said that they were already largely compliant with BDL’s guidelines when Basic Decision No. 10227 was issued.
Byblos Bank
Founded in 1950, Byblos Bank operates in 11 countries in the Middle East, Europe, and Africa. With total assets at approximately $20.5 billion and 1,800 employees, the retail and corporate bank is one of the largest in Lebanon.
During the 2006 Israeli bombardment of Lebanon, Byblos Bank encountered a variety of difficulties but managed to remain operational for the entire period.
The strikes on Lebanon were unanticipated, so operations in 2006 were without a formal business continuity team. Management found that many employees could not access branches where they worked, so they were reassigned to locations closer to home.
Philippe Saleh, head of corporate risk management at Byblos Bank said, “There are a lot of uncertainties which may happen… we had all these uncertainties, which we had to deal with on a relatively ad hoc basis.”
Concern about the bodily safety of employees was compounded by concern about fuel shortages for the banks’ generators to remain functional, though the 34-day conflict ended before supplies were exhausted. Significantly, the bank did not have to resort to disaster recovery systems.
One of the biggest challenges faced during the war was coordinating amongst different groups of employees as many were unreachable, and were unwilling or unable to venture from one branch to another when critical communication lines went down. For the same reason, gaining access to branches to secure funds in case of looting or destruction was problematic.
Members of the public struggled to withdraw funds from automated teller machines (ATMs), many of which were in dangerous areas and therefore not restocked until the conflict ended.
After the 2006 war, the bank created a business continuity committee responsible for coordinating all aspects of the business as a disaster situation evolves.
Now if a situation were to occur, information such as telecommunications availability, core systems and human resources management will be centralized and recommendations forwarded to the continuity committee.
After 2006, Byblos Bank minimized cash in ATMs in areas deemed to be ‘strike-prone,’ while cash in other locations was increased. Should another war break out, branches identified as non-essential will be temporarily closed, permitting the bank to relocate essential resources, such as fuel, to larger branches that are more accessible, while minimizing the amount of danger to which employees are exposed.
Byblos Bank also maintains a remote operational command center and a backup server in Lebanon, with a disaster recovery site in Syria.
Byblos’ Saleh explained, “If there are any disasters in our core system, or where our core system is located, we can switch to a disaster recovery site in order to resume our business.”
The business continuity team catalogued all people and equipment vital to the running of the company, so that if they do need to relocate to a remote operations center, all of the required tools are available. Additionally, the bank’s hard assets — such as equipment, hardware and furniture — are insured.
• Risk classification
• Bank activity classification
• Activity selection under disaster and post-disaster operation modes
• Resource classification and provision under disaster and post-disaster operation modes
Preparation:
• Alternate site location
• Selecting implementation staff and determining their duties
• Training plan operation staff
• Data transfer
• Security procedures
• Plan implementation procedures
Ongoing:
• Regular renewal of continuity plans
• Rigorous testing of continuity plans
In the event that the business continuity committee can’t reach the company headquarters, other sites have been identified for coordination. Three different communications systems have been made available to the committee members, and key employees have had virtual private network (VPN) facilities installed on their laptops to permit them to work remotely. VPNs act like a protected layer of internet access on top of an existing network, enabling the user to access secure information without risking infiltration.
Finally, core operations personnel will be relocated to Cyprus should a conflict erupt. Subsidiaries outside Lebanon rely on them, so they will be evacuated either by air or sea at the first sign of conflict.
The bank carries out risk assessments when opening new branches, but that factor alone does not determine where new ones will be opened. For instance, Byblos recently opened a new branch in the southern town of Bint Jbail, which was heavily bombed by the Israelis.
“Where the business is, where the people are, we are going to open,” said Saleh.
Bank of Beirut
Established in 1963, Bank of Beirut, has roughly $10.5 billion in assets and operates in six countries, among them Oman and Cyprus, providing retail and commercial banking services. The bank faced numerous challenges in 2006. While a contingency plan was in place at the time, management was surprised at the scale of fear and panic amongst bank employees charged with securing the business. Understandably, many were reluctant to venture out during the bombardment.
A second major challenge was maintaining communications during the war. Network connectivity took a major hit, and the bank’s management experienced problems communicating with employees at different branches.
These two challenges demonstrated that the existing contingency plan needed to be upgraded. Despite the difficulties faced during that period, a number of branches in South Lebanon remained open and the bank maintained operations.
After 2006, the general business continuity management outlook changed to focus on enabling employees to work in secure environments and reduce the amount of time spent away from home. One of the first steps taken was to create a larger, better-equipped contingency site.
Every year, the harvest yields approximately 2 million bottles of Lebanese wine, which is both consumed domestically and exported. The Chateau Kefraya management saved most of the harvest by continuing to work during the bombardment. Of course, employees in the vineyards could not venture out, but the rest of the team prepared for the eventual cessation of hostilities so that they could move the product right away.
The season was saved due to the preparations made during the attacks, but the Kefraya Nouveau, which is made from the season’s first grapes, could not be produced in time, as the attacks ended three or four days too late for that vintage. Luckily, only 500 to 1,000 cases of Nouveau are produced every year, so the bottom line impact was not pronounced. The company is sensitive to harvest risk however, as all the grapes used for Kefraya wines are grown and harvested from the Kefraya vineyards; for quality control purposes, the company does not buy any grapes.
The war did affect the export markets as the port was closed for a month and a half after the bombardment began. Many roads were bombed as well, and at one point, the company resorted to hiring a ship in Sidon to transport thousands of cases of wine to Beirut as the main highway between the cities was impassable. Transporting wine in this way took a full day, but the goal was to continue to operate regardless.
Majdalani credits employee perseverance for the successful 2006 season, as the company benefits from years of experience operating under duress in Lebanon, noting that: “Chateau Kefraya began to be commercialized during the [civil] war, so we are used to these situations.”
The larger site includes more space for employees who wish to spend nights there to minimize travel, and more equipment to replicate branch working conditions. In addition, diverse satellite equipment and telecommunications connections were added, allowing phone and internet access in remote areas, or where infrastructure had been destroyed.
Bank of Beirut management made a request to BDL to move data to recovery sites abroad. However, due to banking secrecy restrictions imposed by the Banking Control Commission, all client data must remain in Lebanese territory and the request was denied. Consequently, all critical core-business data servers are situated in Lebanon, but non-client related tasks like email services have been backed up in other countries.
Once a disaster is acknowledged, the business continuity committee takes control. At this stage, the core business and operations personnel have already been identified. Existing documents outline the steps to be taken by each group of employees. However, as Fadi Shalhoub, head of information security and secretary for the business continuity committee at Bank of Beirut, said “We have written procedures but they are flexible to the point where if something [unanticipated] happens…we can take the necessary action.”
One other change the bank made after 2006 was to decentralize operations. This means that foreign subsidiaries can continue to operate independently of management in Lebanon in the event of a crisis.
Conflict risk does not dictate where the bank does business in the future, as Bank of Beirut has plans to open more branches in South Lebanon.
Best practices
Based on the practices of these two banks, and on the guidelines set by BDL, businesses across Lebanon can adopt the following principles to ensure business continuity under difficult circumstances. First, a business continuity committee or similar authority must be tasked with taking control once a disaster begins to unfold. That committee should identify crucial personnel and clearly outline their responsibilities in the event of a disaster. Furthermore, a clear chain-of-command must be identified, with contingencies in place if key managers cannot be reached. Next, secondary and tertiary communications equipment must be in place to ensure that all vital parties can maintain communication at all times. Additionally, the business must have plans for resuming operations after an event; the sooner, the better. Finally, a certain amount of secrecy is important for creating a viable business continuity plan. As both banks demonstrated, information about backup locations, technology, and step-by-step procedures should remain private.
Despite all this, things may still go wrong. As Saleh notes “Nobody will tell you that we are going to face or mitigate the risk by 100 percent.”
