The attacks in New York on Sept. 11, 2001, ended an era in which companies and individuals felt immune from threats, forcing them to reappraise their vulnerabilities and broaden their conceptions of risk.
The nature of the 9/11 attacks—on property and people in a seemingly safe location—demonstrated that businesses everywhere had to prepare for so-called Black Swan events. They also made clear that the relatively low-risk period after the end of the Cold War—an era of absolute U.S. preponderance, expanding prosperity and interconnection—was exceptional and coming to a close.
In some ways, the shift was stark. Prior to 9/11, corporate security teams focused on risks such as fraud, employee malfeasance, burglary and corporate espionage. Security departments sometimes struggled to win the ears of board members.
Priority on continuity
After the attacks, major companies realized the importance of assessing risk on a groupwide basis. Security budgets went up, staff numbers increased, and remits widened as companies bolstered intelligence and analytical capabilities to understand previously neglected risks, such as Islamist terrorism.
Maintaining business continuity in the event of a major disaster became a priority, with lessons from companies in the World Trade Center of special value in drawing up more effective disaster-response plans. The attacks destroyed a host of proprietary information; one major investment bank lost a key database and subsequently conducted a “gap assessment” before developing a less-vulnerable information technology system. Companies also examined how best to ensure that employees might continue to work, leading to the development of alternative or remote office capabilities.
The damage to assets in the attacks prompted companies to examine their insurance coverage. The most immediate concerns were related to contractual certainty, as companies were worried that policies might not cover terrorism or other seemingly unlikely risks.
Since then, the market has ballooned to meet demand for specific terrorism- and disaster-risk insurance. That is in part because of external pressure—companies that fail to conduct full risk assessments and insure themselves appropriately now face difficult questions from institutional investors. The attacks, as with the 2008 financial crisis, also highlighted the reality that in such circumstances, cash is king. Without it, businesses may founder.
This awakening might have proved short-lived, though, without the emergence of governmental institutions that sought to collect intelligence and improve security standards. In doing so, they imposed new obligations on businesses.
An obvious example is the aviation industry. After 9/11, the U.S. government began requiring airlines to install unbreakable doors in cockpits, provide information about passengers and comply with stringent airport security procedures. Aviation companies also carefully tested their insurance policies against risk assessments. These measures fundamentally altered the industry’s risk-appraisal mechanisms.
Banks and beyond
An equally important shift occurred in the financial sector. After the attacks, the U.S. government sought to stifle funding for terrorism. The 2001 Patriot Act required companies to establish new mechanisms to prevent money laundering, the funding of terrorism and the financing of weapons of mass destruction. The law also expanded financial institutions’ duties for reporting suspicious transactions.
These rules focused initially on financial institutions, but they swelled to include brokers, lawyers, accountants, casinos and even real estate companies. Washington concurrently championed the adoption of comparable laws through international organizations such as the Financial Action Task Force. Most states drew up their own legislation, resulting in a dramatic expansion of an already confusing global regulatory web.
Companies responded by appointing officers who scrutinized transactions for money-laundering risks and compelled employees to adhere to standards; in turn, they needed budgets and offices. Employees also had to develop unexpected skills. Before authorizing a transaction, those in trade finance might have to ask what goods could be used as components for a uranium-enrichment program, or which chemicals were the precursors for sarin nerve gas.
Washington’s determination to apply legislation on an extraterritorial basis added to the risks; U.S. regulators took action against financial institutions operating in Europe—such as ABN Amro in 2005 and Lloyds TSB in 2009—that had sought to continue transferring funds to Iran. The success of this overseas application of U.S. laws has only strengthened the trend toward extraterritoriality. As such, companies now have to combine a groupwide understanding of risk with adherence to local regulations, forcing them to develop a more effective conception of the risks arising from a conflict of laws.
The relative tranquility of the 1990s lulled companies into complacency. The 9/11 attacks forced them to reassess their conception of and their exposure to risk on a global basis. Big increases in security departments’ budgets and responsibilities followed. This upsurge has become the norm, even if standards are patchy. After all, the regulators continue their work, and new risks are emerging, such as geopolitical instability deriving from a more assertive China and Russia, the threat of pandemics highlighted by the SARS (severe acute respiratory syndrome) and Ebola outbreaks, and an intensifying, if still weakly understood, threat from cybercrime. In that sense, 9/11 marked the end of an era.
Steve Vickers is chief executive of Steve Vickers & Associates, a specialist risk mitigation, corporate intelligence and security consulting company based in Hong Kong.