Companies are adding one more item to the grocery list of factors that they analyze when selecting a new location - security. The tragic events of September 11 prompted knee-jerk responses, and companies began to batten-down building security with steps ranging from cement pylons to security guards at front entrances. Now, companies are taking a more thoughtful approach to determine how security concerns will affect long-term site selection decisions.
Security concerns are definitely impacting site selection decisions, but there is no "right answer" or consensus as to how far to take those security precautions, notes Jeffrey Baker, a principal at CRESA Partners, a real estate services firm in Philadelphia. "Different companies do these things very differently. One company could be very affected by it, while others have minimal attitudes toward security," he says.
"Security is definitely a factor in site selection decisions, but not necessarily for everyone," agrees Frank P. Liantonio, executive managing director of the advisory group for Cushman & Wakefield
in New York. Large, multinational firms and companies with sensitive operations such as high tech, aerospace, telecom, and utilities are certainly more cognizant of security issues. "Security issues also tend to be more prevalent in areas such as New York; Boston; Chicago; and Washington, D.C., compared to other areas such as Raleigh, N.C.," he adds.
Those businesses most concerned about risk often involve enterprises such as data centers, securities trading floors, financial-services processing, R&D facilities, and firms that have core operations in a single facility versus multiple locations.
In the wake of September 11, companies recognize the importance of setting up real estate facilities that will provide continuity of business operations in the event that a terrorist attack does occur. According to the Disaster Recovery Journal, 75 percent of U.S. companies are revisiting their disaster-recovery plans in light of September 11.
Backup Facilities
The biggest impact of September 11 has been the shift toward redundant operations. Firms that once had key personnel, technologies, and information in a single location are now looking to disperse operations with a second or even multiple locations.
Companies are implementing a variety of strategies to decentralize and protect operations from potential threats, whether they be terrorist attacks or natural disasters. Those strategies range from multiple operations centers and more geographic diversity to telecommuting, satellite offices, and staggered work hours.
Multiple locations allow firms to spread out personnel, backup systems, and technologies so that if one facility is incapacitated, it does not completely disable a company's ability to function. Some financial institutions affected by September 11 could not do business because they were entirely dependent on New York facilities that were shut down. "September 11 expedited companies' decisions to have multiple redundancies - an ever growing approach to how businesses grow," Baker says.
One decision firms grapple with when locating backup facilities is where to locate. A number of New York firms have spread operations out by crossing the border into New Jersey in areas such as Jersey City.
Morgan Stanley, for example, recently purchased the 725,000-square-foot former Texaco complex in Harrison, N.Y., about 30 miles from the firm's Manhattan headquarters. The company decided to expand to Westchester County as part of its plan to decentralize office locations for security and business-continuity purposes. The financial-services firm lost 1.2 million square feet at the World Trade Center. Although New York City will remain the hub of operations, more than 1,500 relocated and new positions, including a data center, will be housed in the Harrison facility.
Requiring Redundant Locations
Two industries that are seeing a big push for redundant facilities are financial services and health care. Health Insurance Portability and Accountability Act (HIPAA) security regulations published in February 2003 ( effective in April 2005) include requirements for insuring that electronically protected health information is always available.
The regulations require that healthcare entities do what is "reasonable and appropriate" to safeguard information. However, it is up to each organization to assess its own level of risk, and to take the steps that they deem appropriate to mitigate those risks. "The regs don't specify that you must have off-site storage, but I think good practices do dictate that," says W. Holt Anderson, executive director of the North Carolina Healthcare Information and Communications Alliance Inc.
in addition, every bank in the country has - and is required to have - a disaster-recovery plan and multiple backup systems. Banks take precautions such as routinely backing-up files and housing data in off-site locations, and they also have backup facilities in case their regular locations become inoperable. Traditionally, those plans were designed to accommodate limited interruptions, such as fires or floods. However, September 11 prompted financial institutions to address potential security risks in those disaster-recovery plans.
One question still being debated is how far away backup facilities need to be from the company headquarters or main center of operations. The question has been forced to some extent in the financial-services industry by four major agencies the Federal Reserve Board, the Office of the Comptroller of the Currency, the Securities and Exchange Commission, and the New York State Banking Department. The agencies have jointly proposed regulations calling for "out-of-region" backup locations. Typically, the distance a company locates redundant operations from its core business often depends on the importance of the operation.
Location Decisions
Companies searching for new and redundant facilities are opting for lower-risk locations. Security concerns may not be as much of a priority in the Midwest, compared to other parts of the country such as New York or Los Angeles. However, security issues do factor into today's real estate decisions, particularly for major corporations or firms with sensitive data or manufacturing functions.
If nothing else, businesses are certainly more aware of their proximity to potential terrorism targets, such as historic landmarks, government buildings, and airports. Companies are wary of locating too close to potential terrorist targets such as power plants, water/sewer plants, shopping malls, recreation complexes, bridges, and tunnels. "I think it is something that enters the thought process these days. Whether they decide for or against a location based on that proximity has yet to be determined," Baker says.
"We are working with some financial institutions that are now looking at disaster-recovery locations that are hundreds even thousands of miles from Manhattan," Liantonio says. Some New York firms are making minor geographic relocations out of the central business district, while others are looking as far away as Atlanta. "One of the challenges is finding a location with the required skill set and employee population to satisfy the business requirements," he says.
Obviously, firms do not want to locate in close proximity to perceived targets. "But you also want to make sure the location is not so obscure and remote that you can't access the employment base you need to operate your business. So it is a balancing act," Liantonio says.
International site selection creates even more challenges. Companies often move facilities off shore to cut costs, but these days those international facilities raise a whole new batch of security concerns.
The cost benefits of operating in countries like the Philippines or India make that risk potential palatable, notes King White, a vice president of the call center site selection group for Dallas-based Trammell Crow Co. Some companies that have contracted with call centers that are located offshore now require those call centers to have redundant North American operations in case of a terrorist attack or natural disaster. Other firms simply won't send any operations offshore because they perceive the risk as too great, White says.
Building Security
Another option for companies is to fortify security within the physical structure itself. "There is a heightened level of security among companies across the board, and I think enhanced security systems are going to become more of a standard in the future," says George Figliolia, president of Builders Group, a general contracting firm based in New York.
Builders Group has seen its security-related construction projects increase tenfold since September 11. Projects range from the construction of entire secure buildings to the installation of audio and visual surveillance systems, card-access readers and turnstiles, bulletproofing, and backup power systems.
Recent Builders Group assignments include work on a 220,000-square-foot telecommunications data center in Secaucus, N.J., for an international provider of Internet exchange services. Security enhancements included adding "mantraps" to restrict access for unauthorized personnel, bullet-resistant walls and doors, and new monitoring and access systems.
The primary focal point for companies is controlling the constant flow of employees and visitors into and out of the building. Those security measures typically involve steps such as repositioning the entrance of a building security or concierge desk and installing turnstiles or door-control mechanisms to control the flow of traffic.
Companies are also strengthening the building structure itself with measures such as glazing windows for shatter resistance. Some firms are even going so far as to create secure rooms or secure floors within a building that involve some level of building hardening or reinforcing to the structure, as well as added mechanical systems to treat the air quality in case of a biological or chemical threat, Figliolia notes.
How far companies are willing to go with added security measures and precautions has yet to be seen. "Even though it has been two years since September 11, this is all so fresh," Baker says. Corporations are still trying to figure out what to do with risk-management strategies as they pertain to heightened security concerns. "It will probably be another five to 10 years before we see what companies have done and will do as a result," he adds.
Real estate strategies typically unfold over a long period of time due to lease or ownership obligations already in place. So it is no wonder that many of these strategies are emerging slowly. "This is something where companies are still trying to figure out what they are trying to do for future operations," Baker says.