Born To Be Wild

Author: admin

  • CIMS Training for Businesses: A Breakdown

    CIMS Training for Businesses: A Breakdown

    The release of our CIMS 2 & 4 training did not necessarily come from market demand for Emergency Management training or warden training.

    Although this course has always been the most searched for term in the Emergency Management category, Google seldom provides results for corporate and partner training programs.

    A corporate and partner training program is essentially cross-functional and organisational CIMS training. After all, the training is universal, but the collaboration and communication of processes is not.

    It’s this requirement that arose in a conversation we recently had. A client who is currently engaged in a significant, multi-agency project wondered if it’s both easier and affordable to conduct these courses as a group – meaning all parties understand early on how communications should be handled.

    We often see the challenge that organisations go through in encouraging and engaging best practice to less mature third-parties or partners. It’s uncommon that conversations end with any real actionable steps in planning programs as one.

    But it doesn’t have to be this way. The larger the organisations and the more fingers in the pie does not mean basics need to be missed.

    You’ve likely been there; aligning diaries, picking venues, working on objectives & outcomes. It often results in a you putting the task in the too hard basket.

    With our new corporate CIMS program, we do it all for you. Not only can organisations in joint ventures / agreements receive tailored and unique training, they also get the opportunity to be in the same room and agree on a process that works for their situation.

    Our facilitators are seasoned on CIMS, but more so on wider organisational resilience; offering a chance to understand and discuss wider techniques the CIMS model misses. Yes, you’ll get CIMS training, but you’ll get a deeper knowledge of how you should implement it in your day-to-day activities.

    What we do to help

    Taking our above client’s example, we’re able to review and assess the unique situation they’re in, the value of this, and timelines needed.

    Next, we focus on getting the facilitation of the training happening (think location, timescales, getting the relevant people attending etc).  That obviously means we’ll be making the phone calls and ensuring the all parties are prepared.

    Once all of this is agreed, the invoice can be sent to either the key contact/organisation, or it can be split, or paid through an online payment gateway instantly

    We spend time understanding the organisations involved, either over the phone, researching online or reading agreements. This ensures when we’re in a room, we know exactly who sits where.

    During the training, you’ll look at the underpinning principles of CIMS, Legislation that is used in conjunction with CIMS principles, the structure, roles and responsibilities of a CIMS Incident Management team, the scalable and modular nature of CIMS and consistent response documentation that is used across all responding agencies that use CIMS.

    The result

    Simply put, you’re prepared, ready to go, aware and confident. Not only in yourself, but those (often new) partners you’re working with. You all know what processes you’ll useduring an event. That sort of preparedness is priceless.

    If this is of interest and something you think your people will see real value in, contact us to begin.

  • This Is What To Consider For A ‘Working From Home’ Policy

    This Is What To Consider For A ‘Working From Home’ Policy

    First things first: social distancing

    Not coming into the office due to illness, is a good move. Unfortunately, the stigma around calling in sick can turn some off, especially passionate staff. We as leaders need to make it clear that if staff are concerned, they can, and should stay home (and work there if they can). By setting procedures to support them while at home, we may just battle this virus yet.

    There is an uncomfortable movement happening in the corporate world right now, and it’s the lack of handshakes.

    It’s a crucial step for us all to do our part in minimising the impact of a virus. But it takes some getting used to when dealing with clients or authoritative figures. It’s these new simple, but important requirements that many are starting to pick up.

    In Europe, hugging and kissing is a standard greeting. But again, this is one of the best ways to help COVID-19 transmit from person to person. If everyone stayed at least a metre away from each other, this would help considerably.

    Globally, many events are being cancelled which can seem drastic to some, like the possible cancellation of the Tokyo Olympics. But at an Auckland concert on April 28th of February, the reason for these cancellations became clear. One man who was recently back from Italy attended the Tool concert at Spark Arena. Standing body to body with thousands of other fans, this one person may have catapulted New Zealand’s infected cases.

    Another man in Japan may have knowingly spread the virus in bars after he was told he was infected.

    Any strategy which creates distance between people, from no handshake to the cancellation of mass gathering events is classed as social distancing. No matter the situation or awkwardness you may encounter, we’re all in this together and social distancing needs to be the norm in 2020 if we’re to combat COVID-19.

    True or false?

    A) work from home policy requires all staff to test this before it is required.

    B) During an outbreak like COVID-19, all staff should work from home.

    C) Thanks to the cloud and remote technology like a laptop, Zoom, Slack and emails, it is easier than ever to work remote.

    How did you go answering these? The lesson here is to appreciate that much media hype accredits to poor direction and advice. Working from home (WFH) is more complex than simply setting up your laptop at your kitchen table. There is much to consider.

    The answers to the above are:

    A) True. But did you consider your IT systemMost IT infrastructures can’t handle 100% of staff working remotely. Testing this before it is needed gives you good insight into your organisations capabilities.

    B) False, but if your IT system can handle it, the more people that work from home the better. Staff who are critical to the operation of your organisation should be the first to work from home. Especially if no one else can step into their role and complete the same output.

    C) True, it has never been easier, but some teams will struggle to work from home, such as call centre staff, because the technology required to work from home is not necessarily available, specific phones and IT systems to record and administer calls, for example. So each team must examine its own needs and understand who can and cannot work from home and what they need to be able to.

    In our continuous monitoring of the ever-developing Novel Coronavirus (COVID-19), we’re starting to acknowledge weekly trends. This week its around working from home.

    Let’s take this article, as an example, that focuses on the individual understanding what it takes to work from home. There are some fair points in there like cleaning your home, providing adequate breaks, putting on the correct clothing to get into the right mindset.

    And although we strongly advise you to consider this option, it’s important to practice it, understand who needs to be working remotely and how your IT infrastructure will handle this. You don’t need to practice it with everyone either to get a lot of feedback.

    Leadership considerations

    If you’re part of a leadership team having conversations around a WFH policy, there are some questions to consider on behalf of your people.

    • How confident are you in your staff’s internet connection?
    • Do your staff need a VPN set up? Is this stable and ready to go?
    • Will all applications, data and systems work?
    • Do staff need extra gear at home like screens, docking stations, keyboards? (Who will transport these and how will you record inventory?)
    • Do documents need to be printed now, are they confidential?
    • Are all staff members contact details updated and accessible?

    Keeping in touch with colleagues is crucial, even if it’s you that’s at home while they still commute in. Set up regular team scrums over a video conference. Set basic agendas where necessary as you want to focus on the same type of conversations you’d have if walking around your workplace.

    Keeping sane outside of the office

    It is no lie that the treat of working outside of an office environment can ware of very fast. Being in your home from the moment you wake to the moment you sleep can have negative mental effects over prolonged periods.

    You can make this environment more comfortable and work ready by:

    • Setting up your workspace the night before (coffee, notepad, clean space, smart clothes).
    • If applicable, take the opportunity to work in your garden/outside.
    • Leave a book out you’re reading, take a break every hour and read a chapter to refresh you mind.
    • Exercise well. Put an hour block in your calendar to get out of the house for a walk or run.
    • Start your day an hour or two earlier. Without the commute, you can now finish early and get all those chores done before the family is home.

    If you are in public places at risk of becoming infected with the virus, there are ways you can prepare.

    • Wash your hands regularly with soap and water for at least 20 seconds and dry thoroughly. This is the single biggest strategy that will protect you. Always wash your hands when,
      • You have coughed or sneezed
      • You have been to the toilet
      • Prior to, and after eating
      • After touching any communal space such as an ATM or reception desk
    • Try to avoid touching your face (sounds easy but it really isn’t).
    • Always carry a small hand sanitiser.
    • Facemasks will NOT reduce your risk of contracting the virus, in fact they are counterproductive as they give you a false sense of security and mean that you are less likely to practice the important strategies that can help you. Forgot to wash your hands then removed the mask? Its purpose is now redundant.
    • Avoid public transport.
    • As above, avoid human contact altogether – no handshakes, kissing or hugging. The largest increase in infection was Valentines day this year!
    • If you’re buying lunch/food, assess whether the food is in the open (for example, some cafes have their cakes on the counter, exposed – avoid these).

    RiskLogic has now produced dozens of Pandemic Response Plans. We’re working with many new and current clients to review everything from Crisis Management Plans, to Business Continuity.

    If you’re considering using our services to help your organisation, now is the time to act as we are getting our highest increase in requests to review or write plans. 

    Start your plan today
  • Why You Should Stop Telling Staff to “Lockdown”

    Why You Should Stop Telling Staff to “Lockdown”

    In the last week, RiskLogic’s website spiked on search results for the keyword lockdown.

    Lockdown data spike

    And what do we typically associate the word lockdown within New Zealand and Australia?

    Probably the March 15th, Mosque shooting in Christchurch and the Lindt Café siege in Sydney.

    But is lockdown the correct terminology to use currently?

    What we’re dealing with currently is a new virus in our community which can be managed if we all practice social distancing. If we approached the COVID-19 ‘lockdown’ the same way we would March 15th lockdown, we wouldn’t be able to take our children for a walk (we would be under our desks for the next four weeks).

    Therefore, we must stop labelling it a lockdown in this case, and rather shelter in place.

    By definition, shelter in place is when we have a possible external threat and we are staying safe in our place of work, or home, but still allowing our staff to work. (We need to keep working)

    Today marks a point in history we’ll be telling future generations about.

    This morning, Kiwis woke to the eery thought that much of the population aren’t leaving their homes today, or tomorrow, or this month. It’s different and that causes anxiety and confusion. However, our emails continue to ping, our calendars are still full, but our children and partners are here with us. It’s both a wonderful time of connection but also one of complete isolation.

    How we act now and for the next four weeks will determine how we are perceived as a nation and as leaders.

    In these challenging times, the New Zealand Government has done an exceptional job of keeping us informed and making staunch, quick decisions. They’ve shown exceptional examples of business continuity and communication with Prime Minister Jacinda Ardern noting, “we will be with you every day”. The UK has now moved into a similar state of isolation. Australia’s government shows signs of following New Zealand’s measures in the next day or so too.

    As we adjust over the next 48 hours, we as leaders need to concentrate heavily on our people – more than ever. We need to calm them and reassure them.

    This starts with terminology.

    Recently, a deputy director at the Health of Ministry noted we need to understand the difference between self-isolation and self-quarantine. The latter being what most of us are currently in.

    People in self-isolation are confirmed cases of COVID-19 or probable cases of COVID-19. This term can have a negative spin to it but is important to remember there is always a risk of someone in your workplace getting a communicable disease. Infections is usually through no fault of their own, so they should not be stigmatised when they return to work.

    Self-quarantine is a measure put into place to protect people from being put in situations where they could be exposed to the disease.  Despite self-quarantine ­ being technically the correct definition that many Kiwis find themselves in, misconceptions around terminology mean self-isolation is commonly used.

    Considerations of terminology

    It’s time to put a positive spin on this difficult situation. There is lots of negativity and fear (understandably). As leaders we can encourage our teams to look for opportunities from a personal and business level.

    Organisations that have planned for this can now thrive from it. With no need to commute, less meetings and distractions at the coffee machine, we can make 2020 the year we get all our jobs done.

    A conversation we were recently a part of included the phrase, “while you’re in isolation, please can you get XYZ done”. This simple request can single out and make an individual feel like being in isolation or working from home is their fault. We need to avoid this.

    The commercial benefits of better mindsets

    It probably goes without saying that happy employees bring results.

    In his book Organisational Crisis Management, Gerald Lewis studies and discloses that the effects and afterburner of a crisis last longer than any lifespan (particularly natural disasters).

    When people are affected in your workplace, it takes very little time for the business to begin to fail. Clients are ignored, deadlines missed, reputation damaged.

    Specifically, in COVID-19, we need to remind ourselves that the social distancing requirement to stay at home does not mean a holiday. It does not mean work is paused. Leadership teams need to find inspiring ways to communicate this.

    Could you handle another crisis?

    Earthquakes won’t wait for COVID-19 to disappear (look at Croatia and Japan).

    While the COVID-19 situation continues to evolve, businesses are still forgetting to assess how much more they can handle. Consider this: if your staff are remote right now, your financial situation is uncertain and you wake tomorrow to learn of a serious cyber breach, could your organisation survive?

    Few organisations could manage two crisis events right now. But the likelihood has increased while your operations move into a new “business as usual” state.

    By starting with terminology, contributing to positive mindsets from our staff, we can keep everyone alert and in a good space while we head deeper into this working from home / social distancing state (not a lockdown).

    Have questions off the back of this article?

    > Contact Us Now

  • The Three R’s – Restore, Recover, and Review

    The Three R’s – Restore, Recover, and Review

    The Three R’s – Restore, Recover, and Review

    New Zealand’s Prime Minister, Jacinda Ardern, made it very clear that businesses should use this period between Level 4 and 3 as a chance to prepare.

    Recover

    With the Government’s decision to move to Level 3 this coming Monday at 11:59 pm, we all need to prepare for a move towards the new normal. This means restoration and recovery of premises, processes, customers, third-party suppliers and most importantly your own staff.

    This is a considerable process.

    Restore

    At RiskLogic, we have seen that some clients have been proactive in preparing for a resumption of business. But most have not thought it through fully.

    If you have changed your business as usual processes to accommodate Level 4 restrictions, then you will need to consider how this affects your resumption and recovery strategy.

    It is imperative that you look at the changes that have occurred and ask several questions:

    • What will our new normal look like?
    • What do we want to retain from the way we have been working under Level 4?
    • How do we move to this new paradigm?
    • How do we safely phase our staff back to work on our premises?

    Review

    The review, or validation, phase of the planning cycle aims to capture learnings from an event by critically analysing how your organisation responded. These learnings enable you to respond better in the future.

    A review should always follow a significant event. But for many businesses, a review will be a new undertaking.

    COVID has given us an opportunity to review plans thoroughly. It means we can capture learnings from the lock-down period to update our plans (or write plans if we didn’t already have them). It also means that we can absorb the learnings into our new normal. Such as the large-scale use of applications such as zoom and Microsoft teams.

    This process of review is significantly enhanced if conducted by an independent team of experts. They can bring experience, as well as a different perspective to a process that needs to be non-judgemental and robust.

    If you need to ensure a professional and realistic, restoration and recovery of your organisation, or if you need assistance to ensure that a review captures all of the learnings from the lockdown disruption, then RiskLogic is ready to support you.

  • The C Word: Complacency

    The C Word: Complacency

    New Zealand is not as isolated as we first hoped.

    A few weekends ago, I found myself enjoying another beating of the Auckland Blues professional rugby team by my Christchurch Crusaders. There are few things as satisfying as a fresh night out with some family, beers, and hot chips. It is made more special when you can share this with 18,000 fellow Kiwis.

    This coming weekend, however, it’s looking increasingly unlikely the final game of the season will be held.

    In not so recent times, live sport was a commonly shared experience the world over – nothing special. But on this evening, there was something sobering about being the only 18,000 people on earth enjoying live sports that night.

    I feared that the accessibility of normality we all rightfully worked towards here in New Zealand had become a risk to our planning and preparation of a potential second wave.

    Where we believed we had contained and managed the outbreak, we’ve become complacent to the wider struggles and risks that were bubbling up, perhaps even contributing to the final blow for many small businesses.

    Where did I get this assumption from?

    My experience in both the resilience world, as well as the tourism sector allows me to see assumptions that make most feel good about the situation we are currently in. Coupled with the relations I have with family and business partners in the UK, US, Australia, and parts of Europe, it is a very different vibe to what we are telling ourselves here in New Zealand

    Where we see the glass half full, many of these countries do not even know where the glass is anymore.

    We are in a Kiwi shaped glasshouse

    Prior to the break-in our 102 days of COVID free-living, things were pretty good. Live sports, venues, public gatherings, pubs, cinemas – they were all deemed open and good to go.

    Businesses found themselves crawling back with some domestic spend being up 42% than predicted post-lockdown. “Buy local campaigns” are in full effect (given that most businesses relied on tourism here) and deals were in full flow.

    We were relying on each other to keep things moving, but did this make us blind to what the rest of the world is going through?

    Given that Auckland is now in Level 3 lockdown and New Zealand in Level 2, people are angry and frustrated, we seem to be going backwards. But are we?

    The Prime Minister ensures us, “we have a plan”. I believe having a plan is half of it, not being complacent and allowing our pride to cloud the possibility of a second outbreak is the other half.

    Contact tracing, social distancing measures and regional/localised requirements are still in strict effect in places like Asia. But here in NZ, a man who just wants a snack could easily walk out of quarantine. With such effort and sacrifice to successfully navigate the Level 4 lockdown, it’s easy to see why this man became New Zealand’s most wanted.

    Economists the world over are warning of the impending economic storm gathering while loan advisers, house sales and retail are trying to paint a different picture. Huge, significant economic powers, like the US, have thrown in the towel. They are relying on a vaccine that has no due date (specifically Donald Trump who needs a lifeline for his November election campaign).

    Kiwis are notoriously complacent around events like this because we’ve been through a lot. We tend to refuse the likelihood of other crisis events when we’ve been through such dramatic ones already. I can say this with confidence after being front and centre for both a decent few Earthquakes, fires, cyber-attacks and terrorism (all in Christchurch City alone).

    We can become disconnected from the rest of the world’s dramas very easily off the back of a staunch mentality. Our team still sees this weekly with clients remaining concerned on isolated events rather than eventualities.

    Well, I’m not one of those people you might say. Good for you. I have spoken to some critical businesses who say otherwise. And that is why I am concerned.

    Why is it a risk to be complacent?

    That’s probably obvious, and we should always stay positive where we can. But we must also look for risk in all the tight, hidden places.

    “Who’d have thought at the end of 2019 we’d be going through something like a major pandemic” a recent client said on the phone to me. “well…we did!” I replied. We literally have a catalogue of potential crisis scenarios, and sorry to say folks, they’re all possible, any time.

    “We actually got through it OK”

    This was the comment after a short phone call with a government agency during my work in the resilience space. The positivity was strong with this one which on the surface was inspiring.

    I asked how they would get on if it was isolated to just their business? What about if they had a cyber-attack during the lockdown? That is when the conversation took a turn.

    This idea that we managed to isolate the virus and get the country back on track is one that is worth boasting about, but that’s now been crushed-so now what?

    We should absolutely celebrate our response, but we need to talk about what is happening outside our little greenhouse. If we do not, we risk staying complacent to the ripple effects turning into tsunamis.

    We are not in the new normal yet

    I will finish by reminding you that we are not there yet. Just because New Zealand and many other small countries (notably Taiwan) has done well to contain the virus(arguing the point that small islands and low airport/ports helped significantly), we have not experienced what many are calling the new normal.

    Now, only airports are closed which affects tourism. That is not normal, but it is not a new way of living – it just sucks.

    No one knows what the new normal is going to be despite how much the experts will go on about it. We simply do not have enough evidence. Whatever it is, it will still sit alongside many other common crisis events.

    Therefore, it is critical to plan for the worst and hope for the best.

  • Were Manufacturers Ready For This Crisis?

    Were Manufacturers Ready For This Crisis?

     

    Manufacturers resilience incident management (more…)

  • The Incident Management Response Pyramid

    The Incident Management Response Pyramid

    Since living and working in NZ and across Asia, all too often I see different terminology for what we do in the resilience space. Your incident management and my business continuity might be the same thing, we just call it something different. It can get confusing for people new people, with so much jargon and acronyms. Here at Risklogic, we are all about keeping it simple. People like simple, no one is crying out for complicated during a crisis.

    Therefore, nearly a decade ago, we built an overarching response process that everyone could use with the same terminology, that would allow them to slot in their teams or plan dialogues to whatever they wanted to call them. In line with the Business Continuity Good Practice Guide, we have developed our incident response triangle. Everything is an event, it just has a different level of severity and response, from tactical, to operational, to strategic.

    With everything that’s happening in the world right now, perhaps this is a good time to pull out a tool that has not failed us yet.

    This is how it looks:

    Business Continuity lifecycle

    Step 1: Tactical Response

    This is classed as an immediate response to an incident to protect people and property and I the first stage we tend to find ourselves when meeting and working with a client for the first time:

    1. Criteria/Description:
      1. Impact limited to a small area of one building/site.
      2. An Emergency can be managed by the warden team (ECO).
      3. Emergency Services will be notified to respond.
      4. Likely response will be less than 1 hour.
    2. Impacts:
      1. People
      2. Assets
    3. Examples of causes:
      1. Assault
      2. Fire (minor)
      3. Bomb Threat
      4. Medical emergency
      5. Gas Leak
      6. IT outage (short term)
    4. Who to activate:
      1. First Response Team (FRT)
      2. Emergency Control Organsiation (ECO)
      3. Security
      4. HR
    5. Plans to use:
      1. Emergency Response Plan (ERP)
      2. DRP

    Step 2: Operational Response

    The ability to continue to deliver services at an acceptable level following a disruption:

    1. Criteria/Description:
      1. The emergency is affecting more than one building/site
      2. Coordination required to manage the recovery of the site
      3. Warden team needs support to manage people
      4. Requires coordination of a large volume of people
      5. Requires recovery of critical business functions
      6. Regional or national media exposure
      7. Likely response will be a few hours
    2. Impacts:
      1. People
      2. Assets
      3. Business Operations
    3. Examples of causes:
      1. Active Shooter
      2. Comms outage
      3. Cyberattack
      4. Death of staff member
      5. Disease
      6. Extreme weather
      7. Fire (major)
      8. IT Failure
      9. Natural disaster
      10. Negative media exposure (Local)
      11. Terrorist attack
    4. Who to activate:
      1. Management Response and Recovery Team (MRT)
      2. Incident Management Team (IMT)
      3. Business Continuity Team (BCT)
    5. Plans to use:
      1. Response & Recovery Plan (RRP)
      2. Business Continuity Plans (BCP)
      3. Cyber Response Plan (CMP)
      4. Incident Management Plan (IMP)

     

    Step 3: Strategic Response

    Management of significant events that threaten the organisation and its stakeholders:

    1. Criteria/Description:
      1. Large-scale impact on multiple sites
      2. Requires management at off-site locations
      3. Requires management of key stakeholders and media
      4. International media exposure
      5. Impact on Operations, Reputation, Financial etc
      6. Requires strategic management decision making
    2. Impacts:
      1. People
      2. Assets
      3. Financial
      4. Reputation
      5. Operational
      6. Strategic
    3. Examples of causes:
      1. Conflict of interest
      2. Data breach
      3. Fraud
      4. Negative media exposure (Wide)
      5. Key staff resignation
    4. Who to activate:
      1. Senior Leadership Team (SLT)
      2. Crisis Management Team (CMT)
    5. Plans to use:
      1. Strategic Management Plan (SMP)
      2. Crisis Management Plan (CRM)
      3. Critical Incident management plan (CIMP)

    A situation that cannot be managed at a site level or within a business as usual practices will escalate through the organisation, and be managed by the various response and recovery teams. A clear escalation process and the links between the teams who are expected to respond is critical to an effective swift response to an incident that is identified.

    Many business continuity professionals we’ve met, experienced or not, have the same mindset around a process or tier system for event escalation. What we have noticed is that most of them struggle to identify and map impacts and processes per event.

    By setting out a clear pyramid that breaks it down into only four steps (including business as usual / BAU), you can simplify the problem and quickly implement a plan you’ve already built, practised and agreed upon.

    From saving lives to saving business operations, what is your response process and where do your teams fit into the RiskLogic response triangle? Does you or organisation already have a similar process?

    If you’re not sure, call us today.

  • The importance of Training and Exercise

    The importance of Training and Exercise

    If you follow the Business Continuity Lifecycle, (and we recommend that you do) then the professional practice of Validation is number six on the list. This implies that it’s the last phase and, in most instances, it is.

    Unfortunately, this may be the reason it often goes ignored, possibly due to budget constraints, resource or maybe a project more urgent that becomes the focus for the organisation. Regardless of the reason, it really should be the phase where most emphasis is given. You can have the best plans in the world, but if you haven’t trained and validated them and your people, you are setting yourself up for failure. ‘It’s all about the people.’

    Business Continuity Life Cycle

     

    Invest in your people

    It is essential that all individuals undertaking BC related tasks at any level have the appropriate level of competence for the role.

    For each role in the Business Continuity Management (BCM) programme, the necessary skills and desired competence levels should be identified. Individuals should then be assigned to roles according to their current level of competence and any training that needs identifying.

    The goal of a successful BC training programme should aim to make it a part of the culture and the ‘way things are done around here’. This will increase the organisation’s ability to foresee threats and respond appropriately and in a timely manner, therefore improve levels of resilience.

    Train them, then validate them

    A Business Continuity Plan (BCP) is considered a draft plan until it has been validated through a scenario exercise. This is similar to your people when it comes to their training and knowledge. Give them the opportunity to build confidence with their plans and their own capability. It’s better to do this in a safe environment while you have the opportunity – not wait until you are in a real crisis event.

    The purpose of Validation is to ensure that the BC capability reflects the nature, scale and complexity of the organisation it supports and that it is current, accurate, and complete. Validation additionally confirms that actions are taken to continually improve organisational resilience.

    It is vital to run a scenario exercise as an organisation’s BC capability cannot be considered reliable until it has been exercised.

    Each exercise within the Exercise Program needs to be carefully planned to maximise the benefits from the time expended in developing and delivering it. The following should be considered:

    • Realism
    • Exercises should feel as real as possible
    • Minimal Exposure
    • Exercises should minimise the exposure to disruption
    • Costs and benefits
    • Preparation
    • Scope, complexity and skills required
    • Participants
    • Who should be involved

    Over the past decade, RiskLogic has facilitated over 850 training sessions and scenario exercises including the MCG Anti-Terror Scenario, as reported by Sunrise on Channel 7.

    We are the industry-leading supplier to realistic and valuable exercises that encourage all teams and individuals to learn and act upon the situations we put them in.

    For more information on the importance of training and exercise, you can contact us directly for a discussion.

    info@risklogic.co.nz 

  • The Human Impact of a Crisis

    The Human Impact of a Crisis

    Media and society encourage us to think more about the economic and structural damage of a crisis, than the human impact. It’s only natural that when coverage of a major event – like the Beirut explosion – occurs, we soon forget about the human impact this would have had on those people. As awful as it is, something new takes over the coverage and we navigate this instead.

    In your organisation, a similar mindset will severely damage your culture and output.

    More and more team leaders are considering how they look after their people than the administration of their business – which is a good thing. But, there are things to identify in this approach.

    Types of Crisis Events

    To better understand how employees are likely to react in a crisis, we need to look at the different types of crisis events that they may be exposed to. Incidents can be categorised into the following four types of events:

    Natural Disasters vs Man-Made

    Man-made

    A natural disaster, like the 2011 Christchurch Earthquakes, can bring about injury or even death to personnel or damage and destruction to an organisations infrastructure. In the Christchurch Earthquake, this was certainly the case.

    There may also be an act of violence or hostility perpetrated by a single individual against an organisation, it’s personnel and it’s property. Let’s imagine that the incident above was a result of a violent act by an individual and not an act of nature. A lone gunman who walks into a place of work and shoots randomly with the same results or worse. The human reaction to either event is extremely distressing; however, one can speculate that the tendency of people is to see acts of nature as just that – therefore the reaction is usually one of grief, sadness, questioning of – or returning to faith. In contrast, in an incident involving acts of violence, there are often all of the above, but also accompanied by anger, anxiety, apprehension about safety and security, etc.

    When the March 15th shooting occurred in Christchurch, the following week so many organisations relocate their staff and consider work-from-home policies.

    To make things worse is a tendency for the media to be more involved in an act of violence rather than if the incident had been an Earthquake or weather event. The runtime for the story is protracted involving stories about the perpetrators family, the victim’s family and similar incidents. You would struggle to find any news on the significant Argentinian fires (that currently outsize that of Australia’s last year).

    During natural disasters, an entire city or region may be affected, and people often bond together within communities, this was very evident during the Christchurch Earthquake. In contrast, where man-made events occur within a single organisation, there may be a sense of isolation from the community as people may feel some guilt by association – like a cyber attack or fire for example. It often feels like the world “keeps going” while theirs has stopped. There is a feeling of them and us, the people directly affected and the bystanders.

    Passive vs Active Trauma

    Passive Trauma is an actual injury, assault, loss of a job, crisis, medical procedure etc. Passive trauma is more in line with physical or emotional neglect. Someone not responding to your trauma, not providing support or just not registering your trauma.

    Immediately after 9/11, many organisations experienced the fall out of passive and active trauma for its staff. There are case studies of businesses having a well-conceived Business Continuity plan with documented recovery procedures that still failed due to not addressing the human impact (in this catastrophic event, exceptions could be made).

    Soon after the attack, companies had managed to evacuate all staff and invoke a business continuity plan. Part of that plan was to relocate staff to new offices, usually out of state.

    In the coming weeks when staff relocated an unexpected culture was being reported nationally. Although the staff at the alternate office were part of the same company and sympathetic, there soon developed a “them and us” status. The staff who had been directly impacted by being in New York City that day struggled to mix and work with the staff who had watched it all on TV. The new office environments didn’t work.

    Let’s be honest, could you work with someone who had gone through such trauma Monday to Friday, for the foreseeable future? It would take an emotional toll on anyone and be a constant elephant in the room scenario.

    With regards to your staff, situational awareness is critical for a crisis team leader, but the human impact is often overlooked in that awareness. We must identify some ways to help you build employee engagement during a crisis.

    Building Employee Engagement during a Crisis

    There are 3 key steps to building employee engagement during a crisis. This involves:

    • Recognising when employees have specific needs in a crisis:
      • Are my colleagues safe?
      • What work will I be doing?
      • Will I still get paid?
      • How will this impact my family?
      • What support will you offer me?
    • Utilising Employee Assistance Programs:
      • Employee Assistance Programs (EAP) are typically provided by external professional organisations. They are contracted to provide confidential support and advice to employees for a range of mental health and well-being issues. Unfortunately, most employees are not familiar with EAP programs or how they operate.  In addition, many employees distrust that any contact will remain confidential. Access to EAP programs should be available for any mental health and well-being issue, not just trauma situations.
    • Debriefing:
      • A debriefing is a one-time, semi-structured conversation with an individual who has just experienced a stressful or traumatic event. Consideration should be given on:
        • When do you debrief?
        • Who should receive a debrief?
        • Who should conduct a debrief?

     

    Key Success Factors for Engaging Employees

    Successfully engaging employees during a crisis requires Crisis Managers to provide the right mix of:

    • Information
    • Communication
    • Intervention
    • Follow-up

    Don’t forget the human factor in your plans. Your staff are your most important assets to facilitating a successful recovery from whatever unexpected event has come your way. Staff will more than likely react differently to different types of crisis events. Make sure you are prepared and ready for that.

    Writing a strategy into a plan and not confirming its validity through desktop or live scenarios, is not a strategy at all. Validate the plan, validate the strategy and validate your staff.

  • Cybersecurity: Not Just an IT Issue

    Cybersecurity: Not Just an IT Issue

    It seems nowadays that just about everyone has technology making their lives easier (or worse). You can paint a masterpiece with your finger via an app on your phone, and then tag the astronauts on the ISS from your lounge or even become an overnight sensation just by wearing a Star Wars mask. So when do we stop to think (and seriously consider) how vulnerable we are to technology?

    In 1999, New Jersey-resident David L. Smith gave a show-girl in Florida the ultimate gift: a computer virus that bared her name. Using a stolen America Online account, Smith posted a Word document infected with “Melissa” to a discussion group on America Online, purporting it to be a list of usable log-in information to pornography sites. Smith’s virus spread via email, forwarding itself to fifty email accounts in Microsoft Outlook on every infected computer, and which, over time, overloaded email servers and forced companies such as Microsoft, Intel, Lockheed Martin, and Lucent Technologies to shut down their email networks. In the end, Melissa performed viral dances on upwards of one million infected PC’s and caused $80 million dollars in damage.

    A year later in February 2000, Michael Calce, aka “Mafiaboy” singlehandedly took down Yahoo, CNN, eBay, Dell, & Amazon. The first major distributed-denial of service attack (DDoS) responsible for crippling some of the internet’s most popular websites were executed by the hands of a Canadian citizen not old enough to drive. Mafiaboy, 15-year-olds, set out to make a name for himself in February 2000 when he launched “Project Rivolta,” which took down the website of the #1 search engine at the time—and second-most popular website—Yahoo. Thinking it may have been a fluke, he went on to attack the servers of CNN, eBay, Dell, and Amazon in a wave of highly-publicized attacks that were the first to show the world how easily one kid can knock out major websites.

    Now think about if you were Jerry Yang of Yahoo or Satya Nadella and you’ve just been told by your IT team that someone has posted millions of viruses to all customers and personal details are now missing. You ask them, “OK, what can we do about this? Can we get the details back? Can we find out who they are?” The answers, like so many cases, is a resounding no.

    Within an hour, only 10% of Yahoo’s customer base realises they’ve been hacked, however, they’ve now involved the media. Before the executive even made their first-morning coffee and fed the dog, they’re standing in front of world press to explain how the company they run, one of the biggest in the world and most profitable has just been hacked by a kid not even old enough to intern for them.

    OK, yes, you’re probably not running Microsoft right now, but that doesn’t matter. You have a responsibility beyond your IT’s security. Are you ready to action this when it’s time?

    A cyber attack isn’t an if situation, it’s a when. Over the last two years, 70% of crisis events have been IT related. That means 7 out of 10 negative impacts on your business are technology/IT based.

    Further to my post around convincing a CEO to revisit their business continuity, it’s important to look into more specific issues that the leadership team is going to have to deal with. What plans could you set in place that will be effective? What will you do to maintain trust and a high level of service to your customers?

    Technology doesn’t attack organisations, people do. It’s silly mistakes from people that open up business operations within seconds

    Brad Law, NZ Country Manager has given these talks hundreds of times. Dealing with some of the worlds most important sectors, the message is always the same, “the biggest attack vector by a large margin is people and people being careless”.

    “I think the most important thing to impress upon [your staff] when it comes to IT security is that most of the time technology isn’t the issue”

    An attack as serious as the WannaCry cyberattack was a prime example of organisations showing their resilience but also showing that they’d prepared in advance for such an event.

    You can Google the names of the companies affected. This is not a good look for any organisation and could have easily been avoided. The companies computers didn’t infect the organisation, the people who run them did.

     

    For all organisations, it’s imperative that you ensure you’re staying up to date as much as possible. Understand the threats, get to events and seminars on what the possible vulnerabilities may be within your organisation.

    When was the last time you validated and checked your Malware? If it wasn’t within the last 90 days, it’s overdue!