Looking for Lessons from Mumbai

The tragic events in Mumbai are rapidly disappearing over the world's news event horizon. Often the only positive feature of any tragedy is to ask what lessons can be learned from it. What lessons can be learned by business continuity planners from the terrorist attacks in Mumbai?

It wasn't evident at the time, but the attacks actually started somewhere between the 13th and 26th November 2008. The Kuber trawler, a 25 meter vessel with five crew was hijacked and taken over by a group of at least 10 armed men. The crew was murdered (one body found, four crew members missing) and the trawler used to enter Indian waters off the coast of Mumbai.

On 26 November the terrorists used a boat and an inflatable dinghy to reach land.

A busy railway terminus (Chhatrapati Shivaji), two landmark hotels (Taj Mahal Palace and Oberoi Trident), and a Jewish outreach center frequented by Israelis (Nariman House) were attacked, along with various lesser targets of opportunity crowded with people.

By the time the last terrorist had been killed or captured, 179 people had been killed and another 300 injured.

One of the positive things we can look for in any human tragedy is some lesson that can be learned to reduce the risk of similar things happening again.

Is there anything that we can learn from a business continuity perspective from what happened in Mumbai?

  1. Small well-armed teams of attackers can cause large-scale casualties in surprise attacks with modern weapons and explosives.

    This unfortunately is hardly new. We need only list the 9/11 attacks, Columbine School, Dunblane Massacre, London and Madrid bombings, Oklahoma city bombing, etc. to remember that history is full of such cases. The attacks may be well or poorly planned, more or less effective, motivated by politics, revenge, or boredom, and occur in places with or without strict gun controls. It is unrealistic to believe that the threat of such attacks can ever be totally eliminated. We therefore need to be prepared for when they do occur.

  2. Lock-down procedures are needed as well as evacuation procedures.

    When the hotels were attacked, brave staff reportedly went from room to room warning visitors to lock themselves in. If a single deranged person attacked your place of work, do you have an effective mechanism to warn staff to lock doors and stay in place? Or do you only have a procedure which will cause everyone to evacuate and place them in harm's way?

  3. Fire-proof is a lot better than fire-resistant or fire-retardant.

    During the attacks, the attackers tried to set fire to the hotels they were in. What would have happened if the Taj Mahal or Oberoi Trident had merely been designed to give people enough time to evacuate in the event of a fire?

  4. Places where people gather are always potential targets.

    The attackers picked on targets of opportunity while moving across the Mumbai. While it's unrealistic (and not necessary) for every cinema, cafe, or restaurant to consider what they would do if a terrorist attack occurred on their premises (the probability is just too low), it is not unreasonable for them to consider what they might do in the event of similar and more probable events: a fight, shooting incident, armed robbery, or medical emergency.

  5. Security Forces (and Emergency Responders) need familiarity with buildings.

    Reportedly valuable time was lost because the anti-terrorist forces were not familiar with the layout of the hotels (they came from a different city), whereas the terrorists were. Staff had to sketch out plans of the buildings. Building plans and photographs should be readily available for emergency responders. Ideally, emergency responders should be familiar with the layout of the building through site visits or exercises.

  6. You don’t have to be the target to be affected.

    Businesses near to an incident — be it a fire, shooting, or full-scale terrorist incident may find their premises inaccessible for an extended period of time. Near here may mean not just adjacent: it may mean within line-of-sight, or within half a mile or so for an incident involving a potential explosion. Are you prepared to evacuate your buildings for a few days at short notice?

  7. Attackers are not always interested in saving their own lives or negotiating.

    Most of the defences that work well in normal society do so because attackers place a higher value on their own life or liberty than on their cause. If you believe you may have potential attackers that do not conform to this assumption then deeper and stricter security measures are essential.

  8. Metal detectors don’t stop armed intruders. They only provide an alarm.

    It is reported that the attackers avoided metal detectors at the front entrances to the hotels by using back entrances. Both hotels have since reopened with upgraded security including X-ray scanners and metal detectors. But would this additional security have made much difference? It might not have been possible to hide weapons in the hotel in advance, but a metal detector makes little difference against a surprise attack unless it can automatically trigger the locking of doors or a similar means of impeding an attacker’s progress.1

No doubt there are also many lessons being learned by security forces and diplomats everywhere.

I just wish there was more to learn from this.

It seems such a short list for such a terrible event.

Some Resources:

BBC Timeline: http://news.bbc.co.uk/2/hi/south_asia/7757500.stm
Mahalo.com: http://www.mahalo.com/Mumbai_Terrorist_Attacks, http://www.mahalo.com/Kuber_Trawler
Wikipedia: http://en.wikipedia.org/wiki/26_November_2008_Mumbai_attacks
New Delhi TV: http://www.ndtv.com/convergence/ndtv/mumbaiterrorstrike/video.aspx?id=46680
Newsweek: http://www.newsweek.com/id/171366


1Risky as it is to compare fiction with real life, the scene in Luc Besson's film The Professional (a.k.a. Léon) where Léon walks through a metal detector and opens fire before the unprepared security guard has time to react strikes me as only too plausible.

18 January 2009

To get notified when new articles appear, subscribe to the Risky Thinking Newsletter. It's low volume: we don't send out an issue unless there is something interesting to say. You can also subscribe to our RSS Feed

Recently published articles can also be found here.

Agree or disagree? I'd like to hear your thoughts. Please initially use the contact form to get in touch.