The wheels of any organisation are set in motion by its people. While systems, strategies, and bottom lines remain the bedrock, it is people who are the real driving forces behind business continuity and success. Despite this, the element of human factors often lacks attention when it comes to business continuity planning.

---

The Human Element in Business Continuity Planning

The human element in business continuity planning is often overlooked. Organisations must realise that it’s their people who execute their carefully crafted strategies during a crisis.

This human element encompasses the roles, reactions, and resilience of a team within an organisation. Their understanding of what to do and why they’re doing it in a crisis significantly influences the effectiveness of a business continuity plan.

Acknowledging everyone’s unique insights allows for more effective and holistic planning. Equally critical is effective communication before, during, and after a crisis incident. Everyone should understand their roles, responsibilities, and the impact of their actions on the recovery effort.

Another paramount factor is training and preparation. Regular drills can ensure team readiness and efficiency during a crisis. Additionally, fostering organisational resilience is substantial, that is, cultivating a team that can withstand adversity and recover swiftly.

 

Taking A People-Centric Approach

A people-centric approach towards business continuity planning is fundamental to ensure successful recovery during a crisis. Such an approach prioritises not only processes and systems, but also the human element that drives all organisational activities.

This strategy begins with fostering a shared understanding of the business continuity plan and its objectives among all individuals. Ensuring everyone has knowledge of their role and actions during a disruptive event contributes to the plan’s efficient execution.

Next, open communication is pivotal. Regular communication outside of crises, bolsters trust within the workforce, resulting in higher commitment and performance during periods of disruption. It acts as a two-way channel, helping leaders gauge team sentiment and adapt accordingly.

Training remains a core component of a people-centric approach. When team members are confidently prepared through regular drills and training sessions, their response during an actual crisis can be swifter and more efficient.

Providing support and care to your team in challenging times can result in increased resilience to adversity. This translates to a quicker recovery from disruptions, with individuals feeling empowered and valued. Embracing a people-centric approach to a business continuity planning allows an organisation to navigate successfully through unforeseen disruptions.

 

Contact Our Expert Team

Learn More About Business Continuity Planning

Business Continuity Planning (BCP) has never been more essential than it is today. With the world witnessing a significant number of unfathomable disasters, both natural and man-made, it’s become crucial for businesses to ensure their survival through strategic resilience planning. 

This blog will delve into understanding what a Business Continuity Plan is and why your business needs one to sail through tumultuous times. 

---

Understanding Business Continuity Plans (BCP) 

A Business Continuity Plan (BCP) is a strategic blueprint outlining the procedures and instructions an organisation must follow in the face of adversity. These adversities could involve a range of incidents, including natural disasters like bushfires, floods or cyclones or man-made crises like cyber-attacks or pandemic outbreaks. 

The primary goal of a BCP is to enable the uninterrupted functioning of your business by minimising the impact of disasters on business operations, ensuring employee safety, and preserving company assets. It identifies essential business functions and processes and provides a roadmap on how to maintain and recover them.  

Typically, a comprehensive business continuity plan includes: 

• Detailed overviews of the organisation 
• Scalable plans of action for different scenarios 
• Lists of responsibilities for each team member 
• Communication strategies 
• Procedures for plan maintenance and testing 

Why Your Organisation Needs a Business Continuity Plan

A Business Continuity Plan is required in your organisation for many reasons, including: 

• Protect Employee Safety: Your employees are your most valuable assets; ensuring their safety should be paramount. A BCP establishes guidelines for protecting the safety of employees during a crisis by providing evacuation plans, emergency contacts, and procedures. 
• Minimise Disruption: In the event of a disaster, with a robust BCP in place, you can ensure minimal disruption to your business. By identifying crucial operational areas and planning to recover them quickly, business can return to normality sooner rather than later. 
• Safeguard Business Reputation: A BCP can maintain the confidence of your clients, stakeholders, and the public by demonstrating preparedness and resilience. It sends a proactive message that the organisation is committed to delivering on its promises despite adverse circumstances.
• Financial Protection: Often, the more extended a disruption, the more it costs. A BCP lays out specific processes to help save time in restoring services, thereby reducing financial losses.
• Compliance: Various industries are obliged to conform to specific continuity and regulatory requirements. A BCP helps ensure that your business remains compliant, even in times of crisis. 

Developing a Business Continuity Plan 

While each Business Continuity Plan is unique to an organisation’s needs, they share similar development steps. The first step involves identifying the scope of the plan, focusing on essential operations and processes that contribute significantly to the company’s survival. 

The next stages include:  

• Conducting a business impact analysis (BIA) 
• Recovery strategies planning 
• Plan development 
• Training and testing the plan to guarantee its effectiveness. 

Revisions and updates must be done regularly, ensuring the BCP reflects any changes within the business or environment. 

In an ever-evolving world, unforeseen hindrances are unavoidable. However, with a robust Business Continuity Plan, they become manageable. Guided by anticipation, resilience, and adaptability, a BCP ensures your business is prepared to rise above any crisis. 

At RiskLogic, we understand the importance of a BCP and recognise that every business’s needs are unique. Our professional consultants work with you to develop practical, straightforward, and effective business continuity plans to safeguard against potential threats. 

Contact us today to get a deeper insight into this topic from our expert team of consulting experts. You can also learn more about business continuity planning here.

Having a business continuity plan in place is essential for any company that wants to ensure the longevity of their business. Business continuity management helps to ensure a company can respond and adapt to any potential disruptions or disasters that may occur. Without proper planning, a company’s operations and processes could be significantly impacted, leading to costly disruptions or worse.

At RiskLogic, we understand the importance of having a comprehensive business continuity plan in place. Our team of experts works with world-class brands to create customized plans that help them reduce risks, improve preparedness, and create resilience.

Based on our experience, we wanted to provide others with our top tips to ensuring continuity in emergencies. Here are five ways organisations can improve their business continuity plans:

 

1. Identify risks and prioritize them to improve Business Continuity

Before you can create an effective business continuity plan, you need to identify potential risks and prioritize them based on their potential impact. By understanding the risks you face, you can be better prepared and create a plan that is tailored to your company’s needs.

Risks that a business could face that may need to be identified and prioritised include:

• Cybersecurity Risk: cyberattacks, data breaches, and other malicious activities.
• Operational Risk: supply chain disruptions, natural disasters, and pandemics.
• Financial Risk: market volatility, currency fluctuations, and fluctuating customer demand.
• Regulatory Risk: employment laws and data privacy laws.
• Reputational Risk: negative publicity or customer complaints.

 

2. Develop a Business Continuity response plan

Once you’ve identified and prioritized your risks, you need to develop a response plan. This plan should include specific steps to take in the event of a disruption or disaster. Steps that could be included in your response plan include:

• Establish a Business Continuity Team: Form a team of key stakeholders to plan and coordinate the business continuity and disaster recovery efforts.
• Develop a Business Impact Analysis: Identify and assess the impact of a potential disruption on the business operations.
• Implement Controls and Procedures: Implement and review procedures and controls to ensure the business continuity plan is followed and updated as needed.

 

3. Test your Business Continuity regularly

You should test your business continuity plan on a regular basis to make sure it will work in the event of a disaster. Without proper testing there is no other way to assess the effectiveness of current plan.

There are a few methods to testing your business continuity plans including:

• Run a simulation: A simulation can include a full-scale exercise of the plan, with staff members acting out their planned roles, or a smaller test that focuses on a specific area of the plan.
• Conduct a tabletop exercise: A tabletop exercise involves a discussion of the plan among staff members, led by a facilitator. The facilitator will ask questions about the plan and encourage discussion about how to improve it.
• Conduct a risk assessment: A risk assessment is an important part of any business continuity plan. It should be conducted regularly to identify potential risks and assess their impact on the business. This can help identify weaknesses in the plan and provide an opportunity to revise or update the plan as needed.

 

4. Establish communication protocols

Establishing clear communication protocols is essential for business continuity planning. This includes identifying the people who need to be informed in the event of a disruption, as well as setting up communication channels and establishing protocol for communication with customers and stakeholders.

By having clear communication protocols your team can efficiently and effectively communicate to internal stakeholders, as well as external media representatives during and after an incident.

 

5. Monitor and review your Business Continuity plan

Once your business continuity plan is in place, it’s important to monitor and review it regularly. This will help ensure the plan remains relevant and up to date, as well as identify any potential areas of improvement.

One part of this stage is to conduct the risk assessment that was mentioned earlier, however there are a number of other ways to review your plans to ensure their effectiveness.

By following these five steps, businesses can ensure they have a comprehensive plan that is up to date and can help them respond quickly and effectively in the event of a disruption or disaster. We’ve found in our experience that these are the most often missed things that businesses can implement immediately, therefore helping them withstand incidents far more effectively than ever before.

---

 

For a more comprehensive, detailed and tailor-made approach to your business continuity & resilience, our team of experts can help you create your own business continuity plan to create world-class levels of resilience.

Contact us today to get a deeper insight into this topic from our team of consulting experts.

In the face of unexpected disruptions, having a sound Business Continuity Plan (BCP) is crucial to preserving your organisation’s operational integrity. By developing adaptive strategies and solutions, companies can ensure that business operations are not severely impacted during a crisis event. Below, we shed light on how to design robust business continuity solutions.

 

1. Conduct a Business Impact Analysis (BIA):

One of the fundamental steps in designing business continuity solutions is conducting a comprehensive Business Impact Analysis (BIA). This process involves identifying and evaluating the potential effects of interruptions to your business operations. The objective here is to pinpoint the essential functions of your business that are crucial for its survival.

Three key aspects to consider while conducting a BIA are:

 

Identify and Assess Critical Business Processes:

Start by identifying critical business processes that are vital for the day-to-day functioning of your business. For example, it could be your IT system, production line, or customer service operations. Assess the consequences of these processes being disrupted. This requires an in-depth understanding of your business operation.

 

Evaluate Financial and Non-financial Consequences:

Determine the financial impact for your business if critical operations were interrupted. This might include assessing lost revenues, regulatory fines, compensation costs, or potential contractual penalties. Beyond financial consequences, think about non-financial issues that can have long term effects, like damage to your brand reputation, customer loyalty, and employee morale.

 

Understand Recovery Time Objective (RTO):

The RTO is the acceptable amount of time to restore the process after a disruption before it severely impacts the business. Understanding your RTO helps in prioritising the recovery of individual processes and systems, which is essential when resources are limited.

By understanding the integral working aspects of your business and the potential fallout from their disruption, you can begin to shape a business continuity plan that will guide your organisation towards rapid recovery and minimal losses.

 

2. Identify and Manage Risks:

 

A pivotal step in the creation of your business continuity plan is the identification and management of potential risks that could threaten your organisation’s operations. This process forms the backbone of your strategy as it allows you to take a proactive approach in foreseeing and preparing for these possible disruptions. Here is a more detailed breakdown of the approach:

 

Risk Identification:

Begin with a systematic process to identify the potential threats that could impact your critical business operations identified in your BIA. These could be a wide variety of risks – cyber-attacks, natural disasters, supply chain failures, among others. Drawing from historical data, recognised trends, and comprehensive brainstorming sessions can assist in detailing a comprehensive list of these threats.

 

Risk Assessment:

Once the risks are recognised, the next step is to evaluate each one based on its likelihood of occurrence and the potential damage it could cause. This critical step allows you to focus resources and attention on high-probability and high-impact risks, rather than expending significant resources on less likely or less impactful scenarios.

 

Risk Mitigation Strategies:

Now that you have identified and assessed the risks, you need to determine how to manage them. Risk mitigation strategies vary from transferring the risk via insurance, mitigating the risk by implementing controls, accepting the risk, and developing contingency plans, or avoiding the risk by changing business processes. The approach may vary depending on the specific nature of the risk and the unique circumstance of the organisation.

Clear understanding and management of risks pave the way for establishing a solid strategy that safeguards your business operations. As part of your ongoing business continuity efforts, regular updates to your risk identification and assessment processes are crucial to ensure your plan stays relevant and efficient.

 

3. Develop Your Business Continuity Strategies:

 

With a clear understanding of the potential impacts to your business and risks at hand, the heart of your Business Continuity Plan – the continuity strategies – can now be developed. The purpose of these strategies is to ensure the continuity of operations and service delivery during disruptive events. Here’s how to go about it in more detail:

 

Analyse Recovery Strategies:

Understanding what your business needs to function effectively during a crisis is fundamental. This could be anything from ensuring a certain volume of inventory stocks, maintaining critical IT systems complete with data backups, to having an alternate power supply or co-locate facilities ready. Map out your recovery strategies in detail, ensuring that they align well with your Business Impact Analysis.

 

Diversification and Redundancy:

One common strategy to consider is diversifying your resources, components, or methods of operation. This might involve diversifying suppliers, cross training your employees, or building in system redundancies. By doing so, your operation is not wholly dependent on one element, thus enhancing overall resilience.

 

Formulate Contingency Plans:

Contingency plans represent your Plan B, the action steps involved if your primary strategies were to fail. This could involve provisions for alternate workspace locations, identifying backup suppliers, or employing remote working arrangements. The aim of these plans is to ensure that critical business operations can continue no matter what circumstances occur.

 

Resource Allocation:

Successful implementation of your strategies implies that sufficient resources are assigned, including personnel, equipment, and finance. This step involves clarifying roles and responsibilities, along with timelines for actions to be taken.

 

Sequence of Recovery:

Considering the complexity of business processes, it’s imperative to identify the sequential order in which systems should be restored during a disruption. Outline a specific timeline for the process for efficient recovery.

 

These strategies underpin your Business Continuity Plan, allowing your business to adapt and respond effectively, minimising the impact of a crisis. Once formed, they should be regularly reviewed and updated to ensure they remain fit for purpose as your business evolves, and new risks emerge.

 

4. Form an Incident Response Team:

 

Having the right people at the helm is crucial to effectively manage a crisis situation. An incident response team plays a critical role in driving the execution of your Business Continuity Plan. Here’s how to form and prepare your team:

 

Identify Team Members:

Start by identifying who will be on your incident response team. This team typically consists of senior leaders and members from various departments – from HR to IT, Communications to Operations – each bringing their unique expertise to functional areas of the response process.

 

Define Roles and Responsibilities:

Once you have the team members, clearly define each person’s role and responsibilities during a crisis situation. This could range from making key decisions, managing the communication flow, coordinating recovery efforts, and liaising with external stakeholders such as first responders or the media.

 

Plan for Redundancies:

Ideally, each role in your response team should have a backup. In a real-life crisis, it’s entirely possible that some of your team members may not be available. Hence, it’s important to ensure that multiple individuals are trained and can step up to perform critical roles if needed.

 

Equip Your Team:

Ensure your team is equipped not just with skills, but also with tools and resources they need during a crisis. This could be anything from access to emergency communication equipment, necessary PPE, or a round-the-clock working space during certain emergencies.

 

Conduct Regular Training:

Even the most carefully laid plans can falter if the team doesn’t know how to execute them in a moment of urgency. Robust and regular training sessions can foster a well-prepared and confident team when they’re required to act.

 

Foster a Crisis Leadership Mindset:

Fostering a crisis leadership mindset within your team can go a long way. Empower your team to make critical decisions during crisis, foster resilience, communicate effectively, and prioritise well in high-stress situations.

 

A well-prepared incident response team can significantly bolster your organisation’s resilience, efficiently navigating even the most challenging crisis situations. Remember, a team that trains together stands strong together. Regularly reviewing and refreshing these teams’ roles and training ensures an operational readiness to face any adversity.

 

5. Develop and Document Your Plan:

 

Once you have the components of your business continuity solutions, it’s time to compile it into a comprehensive document, which will serve as your Business Continuity Plan (BCP). This document not only directs how a business reacts to a crisis but also serves as a point of reference for everyone involved. Here’s what this step entails in more detail:

 

Document the Plan:

The BCP document should typically start with an overview of the plan, its objectives, and its governing principles. Following this, include sections that detail the outcomes of the previously discussed processes – the Business Impact Analysis, Risk Assessment, Business Continuity Strategies, and the Incident Response Team.

 

Outline Clear Procedures:

In the BCP, document explicit procedures for a plethora of potential scenarios your business might face. Ensure that these procedures are easy to understand, accessible and effective. Detail the activation triggers, step-by-step actions, the roles involved, and the resources required for each scenario.

 

Communication Strategy:

Include a section that outlines how communication will be managed during a crisis, both internally and externally. This should encompass guidelines for keeping all stakeholders informed. Also, consider how will you communicate if your primary channels fail? Outline alternatives in these instances.

 

Emergency Contact List:

A critical section in any BCP is the list of emergency contacts. This is not only limited to your incident response team members but also includes other crucial contacts such as local authorities and emergency services, utility and service providers, insurance companies, key suppliers, and customers.

 

Plan Accessibility:

The BCP document should be easily accessible to all relevant parties. Ensuring that multiple copies are stored both online and offline guarantees that the plan remains available even if normal business environments are disrupted.

 

Confidentiality Considerations:

The BCP often contains sensitive information. Therefore, the plan’s circulation should be controlled and only made available to those who require its information.

 

Remember, your BCP document isn’t a one-time task. The landscape of threats and your business operations are constantly changing, and hence, the BCP must be a living document, constantly reviewed and updated to maintain its relevance.

 

6. Regularly Test Your Plan:

 

Testing is a vital part of developing an effective Business Continuity Plan (BCP). Without testing, you can’t fully gauge whether your strategies are comprehensive and would work when a crisis arises. Let’s dive into how to test your plan effectively:

 

Determine the Testing Method:

There are a variety of methods to test your BCP, including walkthroughs, tabletop exercises, partial or full-scale simulations. The method you choose depends on what you’re aiming to test and your available resources.

 

Set Out Objectives:

Before carrying out any test, set out the objectives that you want to achieve. These could range from identifying gaps in the plan to testing individual elements of the strategy to assessing the effectiveness of the incident response team.

 

Document the Process:

Detailed documentation of the testing process, including what was tested, how it was tested, who was involved, and the results derived, is essential. It provides valuable insights that you can refer back to when updating and revising your plan.

 

Agree on a Schedule:

How often you test your BCP could depend on various factors such as the size of your business, the rate of organisational change, and the evolving risk landscape. Generally, a BCP should be tested at least annually, although parts of the BCP might need more frequent testing.

 

Review and Revise:

After your test, gather everyone involved to discuss what worked and what didn’t. Aim to make improvements and modifications to your BCP based on these findings to ensure that your plan is as effective as possible.

 

Remember, every test, in every form, provides an opportunity to learn, refine, and improve. Perfection is not the ultimate goal during test exercises – it’s about finding vulnerabilities and fixing them before a real-life crisis hits. The prime objectives are to learn, enhance readiness, and strengthen your organisation’s resilience.

 

7. Review and Update Continually:

 

The last but equally crucial step in designing a business continuity plan is continuous reviews and updates. A business environment is not static; as it evolves, your business continuity plan should evolve with it. Let’s see what this step involves in more detail:

 

Regular Check-ups:

Incorporate a regular review of your entire business continuity plan into your business calendar. The frequency may vary based on nature of business and apparent threats, though a good rule of thumb is at least once a year or when major changes occur in the organisation.

 

Following Changes in Operations:

If your business experiences significant changes, a review of the business continuity plan is necessary. For instance, if operational processes change, a new branch opens, a new software solution gets implemented, a merger or sale occurs, or new threats emerge in the industry. All these factors can have implications on your existing plan and must be considered.

 

Post-incident Review:

After an incident occurs, hold a debrief meeting to glean insights from the team involved. This should aim to identify what worked and what didn’t in the plan and then take appropriate steps to improve.

 

Update as Needed:

If reviews or real-life situations indicate gaps or weaknesses in your plan, it’s pivotal to not only note these down but to update your plan accordingly. An out-of-date plan can cause more confusion than relief in a crisis situation.

 

Communication:

Once revisions have been made, don’t forget to communicate the changes to everyone who needs to know. Make sure everyone who has a copy of the plan updates their version to the latest one.

 

---

 

Designing a comprehensive business continuity plan can be challenging, but the reward of maintaining business as usual in the face of crisis is invaluable.

At RiskLogic, our team of experienced consultants helps organisations build robust and resilient plans that mitigate risks and uphold operational integrity, even in the face of adversity. So why wait until disaster strikes? Let us help you build a resilient future, get in touch today.

 

Contact Us today to learn more

Learn more about Business Continuity solutions

That unmistakable feeling that the world just got unstable is becoming a way of life in NZ, but you never get used to the nightmare that is an Earthquake. It seems almost comical to chuck a Senior Business Continuity Consultant into an Earthquake, then be evacuated due to Tsunami risk – exactly what we preach daily.

The one that hit our 2-story house at Waikuku Beach just after mid- night on Monday the 14th November, felt like it was never going to stop. As a Crisis Management Consultant, I frequently talk about my experiences in the Christchurch 2010/11 EQ and the stress that each aftershock brings, because you never really know how long it’s going to last. This was no aftershock, this was the real deal and it just wouldn’t stop, 40 seconds of the ground turning to jelly then, 2-3 minutes of it trying to settle into its new bed beneath our feet. Remember in the 80’s when those water beds came out and destroyed everyone’s backs? Well, it felt like my home had been placed on one of those and we were told to brace.

Survival mode kicks in, following the standard drill; drop, cover, hold. A quick inspection for damage, a couple of broken ornaments but no rushing water, no cracks in the walls. Initial impact assessment complete. Time to get the incident team together, me and the wife! Sorry old habits die hard, processes just kick in and stuff gets done, yes I’m an incident nerd!

Things are not good, but are we in a crisis yet? If we are then this definitely has the characteristics of a sudden crisis:

• Unpredictable, unexpected: Fast asleep in dreamland this was certainly unexpected.
• High degree of instability: we were certainly all over the place for the first 5 mins, is this really happening again after the five years of torment already?
• The immediate potential for extreme negative results: Things seem OK in our world but we had no idea that most of NZ were feeling this one. My flight to wellington later in the day was looking doubtful.
• Immediate management attention, time and energy: With the realisation of a real threat of Tsunami my attention was now focusing on our escape plan.
• Often brings about organisation change: Living at the beach is losing its charm, my wife is looking for higher ground!

Being in the business and being an EQ veteran the “grab bag” is always ready to go. The basics in tow, torch, gas cooker, first aid kit, water, tins of beans, battery charger, sleeping bag, etc and of course, dog food! So when the Tsunami alert was given we were ready to go. We had a plan and we were just about to put it into effect.

But planning and doing are two different things, again something I’ve spent many years trying to teach. The realisation when we drove out of our drive joining the rest of the fleeing villagers, that we might not see our house again, can’t be simulated in an exercise. Not that I have made my wife practice our evacuation procedures, I’m not that much of a nerd! But I was working hard to recall my training on the human impact of a crisis. Magnified by the fact that our animal family was one short, the cat was nowhere to be seen! Despite trying to follow what you’ve been taught and what we know as professionals, emotions start to sink in. Driving away in the pitch black with our lovely, peaceful house fading into the background in my rear view mirror, not knowing whether it would handle the night ahead.

Just to put it into perspective, you can see the ocean from our window and walk to it in four minutes. We were the exact people the Police wanted to evacuate.

Impact assessment complete, the team assembled, communications complete to my son in Wellington and our recovery strategy initiated, relocate to an alternate location. Classic 5 initial steps to managing your crisis.

Of course, these actions relate to recovering your business, but why not relate them to your own preservation too? Having a plan, any plan is always a good idea. In a night of unknowns and real stress, it certainly helped to focus my mind. After 7 hours of sitting in our truck on a hill with the dogs, not knowing if the 5-meter wave predicted was coming, it was a relief when we got the all clear to head home.

Time now to put my business continuity for my business into action, my clients in NZ, Wellington, Christchurch, Nelson and Tauranga were dealing with their own issues, our meetings were put on hold, but my Australian clients would still need attention. My Maximum Allowable Outage (MAO) 24 hours, for my critical process Respond to client enquiries and issues, was not under threat.

Lessons learned:

1) Every incident is different, this was real – not a test, but we can still learn from it. We can always do things better. My fuel tank on the truck had dropped below half full. Always keep it above half.

2) Don’t panic, it really doesn’t help. Your employees or your wife won’t appreciate it, people need to be lead by a strong confident leader.

3) Make a decision. The Tsunami alarm didn’t work, some people stayed. The radio said leave because that was the advice from Civil defense. Better to get ahead of the game, you can always come back if it’s a false alarm.

4) Have a good plan for the pets, they have to come and they don’t always want to. The cat needs a cat box, he will run off the first chance he gets.

5) Have your grab bag ready to go. Check it frequently, stuff can go out of date.

6) Have a plan, any plan. Remember the 6 Ps. Prior preparation and planning, prevents piss poor performance!

The gas cooker was on full noise on the tailgate of the Hilux 4×4 for the first brew of the day while the sun rises over our disfigured land, and I have internet connectivity, we are literally “cooking on gas” now. Normal business has resumed, even if I am standing knee deep in a paddock of cow dung!

Until next time, Plan, do, check, act…

Contact Us today to learn more

Are there contractors working on our site? If there are, then they should be categorised as our staff? Good response plans will always have an immediate response action checklist. Despite most organisations having different internal procedures and areas to focus on during an event, I would hope that they all follow a similar structure, something like this:

Safety & Wellbeing Check:

• Am I OK?
• Is my family OK?
• Are my colleagues OK?
• Are customers or visitors in the office OK?

These are all very relevant points but you need to be diving deeper into this, specifically with visitors.

You are responsible for everyone on site

Are there visitor-contractors working on our site? If there are, then they should be categorised as our staff.

Why should there be a difference between contractors and staff? After all, when I come to your site and train your staff, I’m a contractor…and I’m pretty important!

Maybe it’s time to start considering the following:

• Have contractors signed in and do we know their whereabouts?
• Have they done an induction that includes how we as an organisation respond to unexpected events, and what we expect from them?

– I recently visited a rail and coal client in Australia who presented me with a very professional and detailed video on their Emergency Plans. Amazing stuff (blog coming soon on that one)!

• Do they have a Business Continuity Plan? Do they have a back up to support us if they suffer a disruption?
• Can we stop them talking to the media if they turn up?
• Should we start to include them in our training sessions and scenario exercises?

We’ve seen this before

The recent Australian Defence Force Hacking was a prime example of why you need to know your contractor’s processes inside out. It also highlights that they don’t necessarily need to be onsite to impact the way you run your operation.

I bet few people can name the contractor in question who failed to put up effective defences to prevent a cyber-attack, but we all know that at the end of the day, the buck stopped with the Australian Defence Force!

Another prime example that recently came up in my training session was around how some CCTV footage and sensitive documentation is being left with third-party contractors. Again, if any of this was to be leaked, how would you respond?

Facial recognition for CCTV is currently being used by law enforcement across Russia and now the UK. Australia will adopt this technology as well should the rollout be effective.

However, in terms of practical use, it can be very shady technology. Similar to when you’re trying to tag your friends on facebook and it selects the wrong persons face. It’s still got progress to make which also makes it very vunerable to attacks right now.

Hacking a phone and laptop has never been easier, so where does the chain of connections end in your organisation?

How you should be dealing with them

I get it, it’s hard. It’s hard to get a contractor on the phone and ask them if they’ve got business continuity in place and if not, why not? But you need to do this. RiskLogic has provided basic, smaller Business Impact Analysis’ and Emergency Plans for our client’s contractors before and this is a positive, quick win in getting them aware and interested in business continuity.

Start with the basics:

• What information do they have?
• How are they storing it?
• What are their backups?
• What are their response plans like?
• How can you aid to protect yourself?

I’ll be spending a bit of time around this in the New Year as I believe there is a big gap in the resilience here. It’s important in New Zealand that we stay ahead of this, could you imagine how many contractors are currently chipping away in our small country right now?

Until then, plan, do, check & act…

Contact Us today to learn more

Criminal Investigations within an organisation tend to be on the far side of the spectrum when it comes to a crisis, but their importance to your resilience planning is equal to anything else you should consider. In New Zealand alone, there have been 267,465 victimisations in 2017.

Criminal Investigations cover many events such as staff thefts (which can be widespread in retail or warehouse environments), fraud including false accounting or misappropriation, sexual assaults, unauthorised use of IT systems and access to computer systems.

Knowing when it’s necessary to initiate the steps in investigating a criminal act is important to effectively maintain the correct procedures. This April, RiskLogic has partnered with Veritas Investigators to help bring this delicate subject to the surface while in turn, promoting a more open discussion around it.

Veritas Investigations recently undertook an advisory role where a company’s employee had been charged with kidnapping.  The company was initially making blind decisions without realising wider implications of both the police investigation and their responsibilities as an employer.  Veritas Investigations were able to provide advice regarding the police investigation in order to mitigate any adverse media coverage.  In addition, they assisted the company with locating and interpreting data which helped inform them about future hires.

When an event as serious as this occurs to an organisation, there should be strict predetermined processes set in place to ensure legal and compliant steps are taken. Events that are serious enough to seek external Investigators are ones that require planning and practice prior.

When reviewing or running your Business Impact Analysis (BIA), there are certain questions to consider:

• What are the considerations of key factors that will influence major decisions?
• If a complaint like fraud is made, are you confident that police will investigate in a timely manner? What is your process if not?
• What may happen between business, client/customer and Key Stakeholder relationships should something occur?

Often when an internal investigation is initiated, it’s hard to keep it confidential. Employees, third parties and in some cases media, can become aware of the decision to seek police or private investigators. This only brings with it more concerns and reputational risk. Your sensitivity of investigation and potential risks need to be evaluated well before any plans are set into motion. Think; does my organisation hold a level of risk we can not afford to be tampered with internally or within the media?

Sometimes, however, investigations don’t involve the police. This is usually down to the discretion of the organisation in question, but it can be handled in other ways. For example, a whistleblower alerting a company to thefts committed by a trusted employee who is related to the business owners

Whether police are involved at an early stage or not, many companies will engage the services of a Private Investigator to oversee and manage the process from the company’s perspective. This is especially effective when the process and contact of your chosen investigators is well documented and aligned to your Business Continuity Plan (BCP).

More than ever, companies are seeking more continuity in their business plan and looking for more ways to reinstate or retain the confidence of their shareholders, clients, customers, and Key Stakeholders. With the help of contracting reliable and experienced Private Investigators, this can add to your resilience and credibility.

Contact Us today to learn more

It may seem obvious, but the line between Business Continuity and the definition itself is very blurry.

The mistake businesses often make is the definition of the name. It’s not about business continuity, it’s about critical business continuity. Continuing the critical part of your business should be the core objective of business continuity (BC). BC implies it’s all of business, which is where the mistake is made. You don’t need to recover the whole business, just the critical parts of your organisation, the process and functions that if not recovered will have the largest impact on your organisation. Whether that be financial, reputational, human, legal or operational.

What the ‘Good Practice Guide’ says:

A holistic management process that identifies potential threats to an organization and the impacts to business operations those threats, if realized, might cause, and which provides a framework for building organisational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities.

 

Step 1: Analyse

Assessing vulnerabilities and understanding the impacts of a disruption to your organisation.

 

Stakeholder engagement
The most important part of this step in your business continuity journey is to ensure that all key stakeholders have buy-in for the process. This means that the implementation of the BC journey for your organisation is backed by the people from the top.

Policy and Framework
Intentions and directions of an organisation that sets out the scope and governance of the BC program and reflects the reason why it’s being implemented.

Business Impact Analysis
The main technique used for the analysis of an organisations business functions.

Threat Assessment
The process of evaluating threats using risk assessment techniques to identify an acceptable concentration of risks and single points of failure.

 

Step 2: Plan

“Documented procedures that guide organizations to respond, recover, resume, and restore to a pre-defined level of operation following a disruption.

 

Crisis Management
Strategic plans define how strategic issues resulting from a major incident should be addressed and managed by Top Management.

Recovery Strategies
Recovery strategies will provide a step-by-step guide for recovering your Critical Business Functions ensuring that functions recover fast to meet the Maximum Allowable Outage (MAO) expectations.

Business Resumption
A business resumption strategy contains a series of actions and steps designed to return the affected business to its pre-interruption status and includes restoration or relocation of facilities and resumption of operations to maximum capacity.

IT Disaster Recovery
A task orientated document designed to provide the IT disaster recovery team with the tools to identify, assess and respond to companywide incidents affecting IT infrastructure, software or hardware systems.

 

Step 3: Validate

Build capability, rehearse and test your program to demonstrate your level of preparedness.

 

Awareness Training
It is essential that all individuals undertaking BC related tasks at any level have the appropriate level of competence for the role through:

• Training
• Knowledge
• Experience

Crisis Leadership Training
Suitable for senior leadership with overall crisis management responsibilities. Training specifically designed to build awareness, critical skills and crisis leadership capabilities of your team using the latest experiential learning techniques and real-world case studies.

Component Testing
A testing regime to provide appropriate coverage of all agreed business continuity recovery activities. This includes defining performance indicators and establishing test scripts to validate the recovery of critical business functions as identified in the Business Impact Analysis.

Scenario Exercises
Rehearsing an organisations BC program via realistic, hands-on scenario exercises is critical to:

1. Build familiarisation with staff roles, responsibilities, processes and available tools
2. Identify practical program improvements
3. Provide a high level of stakeholder assurance in an organisations recovery capability

 

Step 4: Maintain

Review and rehearse your program to build resilience and ensure continual improvement through:

• Reviews & updates of your entire program
• Annual training for your response teams
• Annual exercising for your response teams and staff

In summary, Business Continuity needs to be a business as usual activity preparing for extreme events. Your organisation should plan for the worst but hope for the best. But the task doesn’t need to be time or resource heavy.  An effective response is about task orientated activities and the ability to thrive through adversity.

As with any event, it’s not a matter of if, but when. Understanding the lifecycle of BC, implementing it into your business and building a culture around it will be what ultimately sets you apart from your competitors when a major disruption or event is realised.

 

If you’d like to know more about how RiskLogic can help implement or review your current BC program at your organisation, contact us today to learn more.