Born To Be Wild

Category: Business Continuity

  • Netflix’s ‘The Horn’: the Epitome of Resilience

    Netflix’s ‘The Horn’: the Epitome of Resilience

     

    Please note, this article contains subtle spoilers on the Netflix documentary, The Horn.

    At our RiskLogic sessions on Business ContinuityEmergency or Crisis Management training, we usually ask what our classes summary on resilience is. Personal experiences mixed with what they’ve read online produces a variety of answers, but we believe we’ve found a visual example of the perfect response.

    It’s called The Horn, and it’s a Netflix documentary now available to stream.

    In summary, The Horn follows the paramedics and helicopter pilots of Air Zermatt, a specialist rescue organisation located at the base of Switzerland’s famed and ferocious, Matterhorn.

    The Matterhorn Mountain and neighboring peek. Located in Zermatt, Switzerland. 

    The film crew obtained unprecedented access to the extreme conditions and work that these men and women do, resulting in a dramatic, beautifully shot documentary that can make most jobs feel somewhat…neutral and safe.

    I wanted to dive into the key aspects that make it so relevant to what we’re training out and what RiskLogic’s own values are.

    I broke it down into five key sections that relate to the six episodes available:

    1. Team work
    2. Resilience
    3. Planning & Training
    4. Communication
    5. Passion

    If you’ve not seen the documentary yet (stop reading this and go watch it!) and/or have little knowledge of the Matterhorn in Zermatt, here is a quick breakdown:

    • Matterhorn height: 4,560m tall (836m taller than New Zealand’s Mount Cook).
    • Zermatt ski slopes and tourism: 200km of slopes (21km in summer), 3 million tourists per year.
    • Sport undertook in the area: Skiing, snowboarding, hiking, climbing, mountaineering, base jumping, abseiling, hunting, paragliding, heliskiing, sledding, ice-skating and much more.
    • Number of rescues: 1,600-1,700 per year (nine available helicopters)
    • Fatalities & climbs: 500+ climbers have died on the Matterhorn, 2,000 make the ascent to summit annually.
    • Weather: Due to its location and size, it creates its own weather system, making it one of the most challenging rescue locations on earth.
    • Rescue range: 2,000 square kilometers
    • Staff: 6 full-time and 5 freelance pilots; 5 certified flight instructors, 7 paramedics, and 15 mechanics.
    • This year marked their 50th year operating.

    1. A Perfect Example of Teamwork

    The teamwork Air Zermatt portray is second to none and shown almost immediately in episode one. No more than thirty seconds in, you’re introduced to the extreme conditions these specialist rescuers are put through.

    Dangling from a 30ft long rope in a tight crevasse, carefully held and directed from his team above, Simon, a mountain rescue specialist is slowly making his way to his patient. A mountain skier has fallen into one of the most extreme places on earth, and his only way out is from the perfectly rehearsed teamwork the rescuers possess.

    Simon is a volunteer and highly rated by his peers as one of the most experienced mountaineers available. He races into Air Zermatt when he is required and called – all year round.

    Jumping into the helicopter seconds from taking off, he is briefed and begins preparation. Everything is seamless. The pilot and the paramedics are happy to see Simon again. When they land, he assesses the situation and decides on a plan that everyone trusts and acts upon. Within a few minutes of landing, Simon is meters away from his patient, beginning the procedure and rescue as planned.

    Simon Anthamatten of Air Zermatt

     

    Although the scenes after this may be distressing to some, it’s a brilliant ending to episode one that portrays an ultimate level of brotherhood and faith in one another.

    Almost every ten minutes within the show, you are introduced to more examples of their impressive teamwork. Episode four introduces you to the junior paramedics who are going through their training. What stuck with me was that their tutor/trainers are paramedics employed by Air Zermatt, not at a University or a training school. The people who taught them will be the people they work alongside. With this, a dynamic but extremely effective routine is set up early on and followed throughout their careers.

    “I just need to tell you how amazed I am by the level of teamwork you displayed”, a patient declares to his rescuers.

    Everyone knows the drill, there is no question of capability. Everyone seems to know exactly where everyone is, even when they’re 30ft beneath the snow.

    2. Resilience

    Episode five and six talks of the mission during one of their busiest periods. Air Zermatt is put through extreme conditions regardless of the tourism boom, but in the height of the season, they are seen rescuing 20+ patients a day. With nine helicopters and an average of an hour per rescue, days are long and exhausting. For the team though, not having enough time to finish lunch is the norm, but not being able to complete the mission isn’t.

    In one instance, a hiker heads out on an easy, up-and-down route to a pass. Here, he is struck by a devastating white-out that brings with it extreme fog and winds. He pitches his tent right where he stands and assesses the situation; it’s not good. With only a day of food and three days of water, he decides to activate his emergency beacon, Air Zermatt pick this up instantly.

    As you’d now expect, the pilots are in the air within minutes, however, they’re confronted by extreme weather and simply can’t get to him. With a small signal, the team can keep in touch with the stranded hiker over the phone, but by day three, his phone dies.

    One of the four Air Zermatt helicopters

    “This is going to be really tricky. The weather conditions are quite bad this close to the ground. There is no way, I’m sorry, we can’t make it tonight” radios the pilot back to base.

    Throughout the three days this mission runs, the team have no choice but to carry on with other rescues while the weather clears. Their minds are on the job, but also with the lost hiker.

    “Sometimes, I go home and try to switch off, but my thoughts are still with the patient, stuck on the mountain. I get to sleep in my bed, but he is still there, trying to survive”, explains senior paramedic, Patrick.

    Patrick Wenger — Air Zermatt Paramedic

    By day four, an exhausted team has no choice but to head up the mountain one more time, they see a break in the fog. Upon approaching, they explain a detailed situation to the French specialist rescue team they had picked up beforehand. Setting them down onto a small ledge, the team begins the search for the tent. It’s here their resilience is shown once more.

    Despite the odds and likelihood of a rescue, the team pushes on. Communications are passed throughout the base and plans are put in motion. Paramedics remain on site, pilots prepare to take over the pickup, hospitals are on standby. Everyone has done this before, they are calm and collected.

    “They are sometimes called the heroes, although they say they just do their jobs…they changed my life”, says the stranded hiker.

     

    3. Planning & Training

    Air Zermatt runs like clockwork after fifty years of operating. They’re dealt with many varieties of situations and seem to have a plan for every one, but we all know that’s not the case. There are simply too many scenarios possible to have an individual plan for each, therefore, you must assess and group them into priority areas.

    In one episode, the siren once again sounds throughout the base. A key member of the show, Patrick learns of a patient on route, but soon finds out her status, code blue.

    Netflix's 'The Horn' is the Epitome of Resilience | by Ollie Law via Medium | RiskLogic

    Senior Paramedic and Doctor, Axel Mann.

    Code blue is one of the more serious situations the team can deal with. It is a patient who will not survive long enough to get to a hospital and is effectively classed as ‘dead’. The paramedic’s job is to work fast and precise to bring them back.

    The patient is brought into the hanger on a stretcher and almost like a rehearsed dance, the six crew get to work in between the docked helicopters.

    “OK, everyone pauses. Take a breath. OK, let’s go again…” orders one of the paramedics.

    It’s the middle of winter, but the crew are soaked in sweat from their efforts. In the background, mechanics stare and observe the tense moment. The camera crew keeps a distance.

    Jump back a few episodes, and you get a glimpse of how the team prepares for this. During a lunch break, the trainee paramedics are called urgently to assist with a seizure case. Slightly confused and disorientated, the two are caught off guard and need to regroup themselves.

    Junior Paramedics in an emergency drill

    When they enter the hanger, they see senior paramedic Patrick sitting on a chair having a “seizure”. Despite knowing this is a drill, the team take it extremely seriously and grab all the relevant equipment.

    “I think that is the best communication you’ve had so far. You kept relaying the steps and did your A.B.C’s. If you keep this up, you can both be great paramedics”, Patrick praises after the session.

    For pilots, their job roles are drastically different and require their attention to be on the safety of their colleagues. In the series, every pilot classes the other as “probably the best in the world”, but it’s the training they give themselves that brings that to light.

    After 14,000 hours of flying, CEO Gerold is their most experienced pilot and only took the top job on the agreement he could continue to fly. But even he recognises the need to constantly train. In episode four, he is assessed by his colleague and junior on his capabilities.

    Despite a flawless assessment, Gerold showed a commitment and standard to all by ensuring he was not exempt from continuous training and preparation.

    Netflix's 'The Horn' is the Epitome of Resilience | by Ollie Law via Medium | RiskLogic

    Air Zermatt CEO, Gerold. Photo credit @POSTAS

    His senior status is nothing but a title on paperwork back at base during rescues. Everyone recognizes the need for teamwork and even when this is practiced, it is treated as equal.

    4. Communication

    It’s next to impossible to pick out one example of communication within the organisation. Each employee speaks at least three languages, they express a constant drive to keep everyone informed and can present themselves on an equal level to their patients during a rescue.

    That is of course, to the exception of Axel.

    Senior Paramedic and Doctor, Axel Mann.

    Their most experienced and senior doctor seems like an older version of The Terminator and is a typical German/Swiss with ‘Mann’ as a surname. Honing a weathered face, strong jaw and large eyebrows, Axel would come across as the last person you would want to attend to you, but you would be wrong.

    “Axel is amazing. If you are in trouble and Axel is there helping you, you will be good. I have rarely seen him make any mistakes in the thirty years we have worked together”, CEO Gerold Binor explains.

    During one episode, Axel is trying to attend to a young woman who has a concussion from a skiing accident. She is disorientated and confused trying to get free from the stretcher. While trying to do his job, Axel speaks up and orders the lady to listen.

    “HEY! Listen to me OK, we’re trying to help you, you need to stay still and let us WORK!” he points and shouts to her.

    It’s a mixture of humor and aggression that comes from Axel’s personality, but his approach is effective. He only speaks when it’s necessary, and when he does, everyone listens. His credibility and experience have created a foundation of trust and respect for Axel from his peers. It’s concise, it’s professional and it gets tasks done.

    Later in the series, Axel is called upon to assist with multiple rescues on a ski slope. By the fourth rescue, the weather once again sets in. The helicopter leaves with two patients and not enough room for Axel.

    His cell phone rings, “Axel, the pilots have said they can’t get back to you, it’s too foggy now, sorry”. “What am I supposed to do, it’s an hour walk back from here”, Axel asks. “Gerold says get creative”, responds the lady at HQ.

    Despite his aggressive look and boisterous approach to communication, Axel manages to convince skiers and mountain staff to make a sled, and ski him down. In a hilarious shot of this senior doctor being led down the slope behind skiers, his phone rings again.

    “Are you being creative Axel?” the HQ lady asks.

    5. Passion

    By now, you’ve likely got an idea of their commitment and passion for their roles. A love for their jobs, their colleagues and mission has produced a company that can set an example for the rest of the world. They believe in what they do and are prepared to spend hours perfecting it.

    If it wasn’t for the passion for learning, saving and excelling at their jobs, many more lives would be lost on those mountains. This is something we could all learn from.

    It was perhaps the last quote by CEO, Gerold that summed it up best.

    “All these questions, they arise, and you learn, and you try to figure out the best way for yourself. Mainly it’s a school for life what we do here. Sometimes in a very hard way, but that’s what it’s all about. Being a human being…”

    In conclusion…

    We were pleased to come across this documentary, not just because of how well it’s put together, but because there is another great example to touch upon when we meet people now. Another case-study that we can use to perfect our own resiliency and revisit to inspire plans and actions.

    I highly recommend watching The Horn when you have a chance, but when you do, ensure you concentrate on the key elements that assist them in their jobs: teamwork, maintained by communication, progressed with resiliency and set upon a passion for what they do.

    Until next time, plan, do, check and act…

    Contact us today to learn more ->

  • Bangalore’s Organised Chaos & it’s Effectiveness

    Bangalore’s Organised Chaos & it’s Effectiveness

    Same country, different client.

    You may remember last year, RiskLogic shared our trip to India; our furthest trip with a client. Well, now I’m back, but this time it’s with a leading IT organisation.

    If you’ve ever rung an IT helpdesk for advice or support external to your business, chances are the phones getting answered out of the Manyata Embassy Business Park, in Bangalore.

    A site that manages to cater for 100,000 employees every day working for some of the biggest names in the Tech Industry.

    My week in Bangalore saw me at the park every day and it brought a whole new meaning to the phrase, organised chaos.

    Getting around

    Everyone is on a mission in Bangalore, and if your scooter, car, bus or Tuk-Tuk has a faulty horn, it’ll stay at home. The overpowering presence of loud noise is what (somehow) controls the waves of vehicles and pedestrians. Align this to the smells, heat and towering buildings; you’ve got yourself organised chaos.

    With a population of just over 12 million, and the average house owning 2 vehicles, you question what actual room they have left, but somehow, they make it work.

    After yet another nail-biting drive to the office with my driver Srinivasa, I’m dropped at the front door to my client. Out of the heat and into the world of air-con again.

    Being flexible for your people

    After several layers of security, I finally get to the meeting room. It’s the first time I have been asked to write down the serial number of my Microsoft Surface Pro at the security desk. Now where would that be?

    I’m back in India again to do what we at Risklogic do best: making companies more resilient so they can better serve their key stakeholders.

    Business Continuity is what we live and breathe, and a standard project would normally run over 3 months. This trip, I have 5 days (the same timescales as my week in Prague!)

    We are known for flexibility here at RiskLogic, we make it work for the client. Of course, some careful planning and pre-trip preparation (during the long-haul flights) is required with condensed deliverables, but we get the job done.

    For me, the professional preparation and flexibility for clients, although tiring, opens up opportunities for more effective conversations when it counts. 

    An Indian example of communications

    There are 300 different dialects here in India, which not everyone speaks, so English is the foundation language; handy!

    The Indian team is great, smart, professional and passionate people. It makes the process flow and we get the job done.

    They are very passionate about delivering to their key stakeholders and take business continuity extremely seriously.

    They must, when your RTO’s (Recovery Time Objective) is set at 5-minutes, preparation is key.

    The pressures of being an 8-billion-dollar company can be seen on the faces of the managers I’m meeting with.

    The second day on site, I’m informed that there will be a fire drill. Of course, my ears prick up, this should be interesting.

    A fire drill for an $8b company

    We are in a building of about 1,000 people, my client occupies the 3rd floor of this 7-story building.

    The alarm sounds, and we start to evacuate, the siren is ear piercing in the stairwell, I really want to get out, that’s the point I guess.

    The rest of Manyata Embassy park is business as usual of course and the cars, trucks and scooters don’t stop around the mass gathering we’re accumulating.

    Several wardens direct us to the assembly area stopping cars and trucks on route and we start to line up in company lines, a good 500 meters away from the building. Check!

    I can hear some guy directing everyone over a PA in English, hundreds of people are listening. Perfect, another check.

    After about 5 minutes, the PA man starts to talk us through the importance of evacuation drills with some real-life examples of real events that have not run as smoothly.

    He doesn’t mince his words. He is full on now into an Emergency Management trainingsession and explains what everyone should know; how to evacuate your people with and without any equipment, two and one man carry, fire extinguisher training, even loading causalities into the back of an ambulance. The lot.

    I’m impressed with the whole session, and the main message for me is what I’m always telling my clients.

    One of the few times you can get all your work force in front of you is during an evacuation drill. 

    Lessons learnt

    Use the time wisely, it’s a great time to spread a message about the importance of Emergency Management or Business Continuity and anything else needed to be communicated on a large scale.

    To an outsider, the noise and huge amounts of people can trigger some major anxiety and overload of senses, but to the locals here, they’ve mastered how to ensure everyone listens when it counts. Really impressive stuff.

    The rest of the week goes well, finishing off with some training and a mini-exercise for the newly formed Business Continuity team, who still have a lot to learn, but they’re as committed to BC as they are to business as usual and proud to be resilient for their global client base.

    Next stop, the Czech Republic where we reset and start the process again. A new team but the same client and no doubt some new challenges and lessons.

    Until next time, Plan, Do, Check and Act…

    Contact Us today to learn more

  • Business Continuity in Prague | Four Key Points

    Business Continuity in Prague | Four Key Points

     

    This week, we at RiskLogic found ourselves in the Czech Republic, Prague, continuing the work we had started with our new client the previous month in Bangalore, India.

    Although my client contact was the same, the team was new. Within five days, we had to complete a 3 months Business Continuity program, so timings and delivery were intense.

    It was both exciting and bizarre to be in Prague. I can’t say I’d ever thought I’d be consulting there nor India before it, but here we are.

    Our client base is growing and with it, their reach and need for global business continuity solutions. So, the business reached out and RiskLogic provided.

    In fact, I wasn’t the only person overseas this month. Briony from our Melbourne office is in Milton Keynes, England while Simon, our Regional Manager NSW, QLD & ACT, is in the United States.

    During my time in this amazing city, I picked up on four points I think are important to reiterate and share with my network.

    Here they are below:

    1.     Communications

    I found that having this at its highest level was vital, not just with the client, but internally at RiskLogic too. Maddie, based in our Sydney HQ was supporting me to complete our Business Impact Assessment (BIA) we were completing on site.

    Maddie was able to do this while also completing an induction for our new staff member, Mary. Really impressive stuff!

    I made it clear early to my client that her timezone was a day ahead, it would bring challenges, we’d all need to be flexible. If she rang me with a query, everyone stopped. If a report was required, everything was on hold.

    With the client, getting a whole organisation into a BIA meeting within two days was a significant challenge too. Especially as the flu season has arrived here in Europe (I got my fair share of that too).

    With people off sick, I wasn’t hopeful we’d get many meetings completed; I was mistaken. My client contact, Choon-Hian had worked hard on presenting the importance of this week, and sure enough even sick staff were logging in and conferencing over the Cisco system.

    That brings me onto my next point…

    2.   Buy in: do the hard yards

    When you’re introducing a new program, don’t just talk to the senior stakeholders in the process, communicate it company wide.

    You don’t need to hold massive conference meetings, you don’t even need “all user” emails sent out. Just start small drips of concentrated information that will be talked about internally naturally – like a viral bit of news.

    This client is huge, they have large offices all over the world and some of the biggest clients available. Choon-Hian is from Singapore, my other contact, India, a systems support manager from South Africa and the boss back in Sydney. When you fly three overseas staff members and a senior manager from New Zealand to your office, your business understands the importance of the project.

    But that still shouldn’t be all you do.

    I saw Choon-Hian constantly let even the most junior of staff know his wider BC plans. “By 2020, I want this organisation ISO 22301 accredited, so this is the stepping stones to a 2-year journey”.

    3.    It’s a journey to invest in

    Choon-Hian was full of great quotes and is a committed and enthusiastic BC professional. After showing him our incident response pyramid, Choon-Hian got it and began sharing this way of looking at BC to the wider team.

    Business continuity lifecycle risklogic

    “This is the beginning of a new journey, not the end” he says one afternoon to the team. He encourages people to understand that this may take some time, but it’s ultimately going to change the face of the business.

    Any organisation can have a business continuity program, but if no one is invested into it, it won’t be used when it’s most needed.

    Choon-Hian avoids this by constantly reiterating the values and importance of the program. However, he’s careful with his words and can thoroughly explain his plans to the team and wider business. As an outsider trying to deliver a project to a client, its a breath of fresh air.

    4.    BD: servicing the most important clients

    I can’t talk about my clients critical stakeholders, but let’s just say one of them creates some of the most beautiful machines and had a revenue of 99 billion euros in 2017. That’s an important client!

    At the far end of my clients building is a secure area which is solely dedicated to this critical stakeholder. A huge, silver wall with the client’s logo, a very recognizable logo may I add!

    You can’t enter without a special pass, so we’re escorted in. Inside are tech wizards sitting with no less than three monitors and two laptops. Numbers and strategies line the wall while automatic blinds shut out outside interest; this room means business!

    How do you build confidence in a client that’s given you all their most personal details, making that much revenue? You show them your business continuity plans.

    During a recap meeting, a senior stakeholder walks us through where his team operates from. Choon-Hian explains the plan for ISO 22301 accreditation by 2020 and I top it with “that goes a long way when it comes to BD and credibility for new clients”. “Oh, you don’t have to tell me twice!” he says. “Being ISO accredited has been the deal breaker for us in the past”.

    Internal and external branding on a global scale was huge for this client. Huge pictures of Prague lined at least one wall in the meeting rooms.

    Abstract shapes line the windows, and I’m told this is consistent on a global scale. For their BC, it’s the same. We’re already talking about what’s happening in the States and Malaysia. Its great to work with a client who understands the requirement to role out BC across all of its critical Products and Services, wherever they are based.

    Brad Law Prague BIA

    Conclusion

    What a fantastic month we’ve had so far. I have a growing team of professionals like Mary (who completed a report for me on her second day of work!), Nick who has more enthusiasm for his new role than most, and of course my son, Ollie, who was great to have around this week assisting in the meetings and scenario exercise in Prague.

    This client makes it easier too. Constant communication with me, passion for the program and a drive to get fully on board with a 2+ year journey. Seeing such large-scale implementations and communication is inspiring. The guys at the top should be proud of their team.

    Until next time, plan, do, check & act…

    Contact Us today to learn more

  • This Is What To Consider For A ‘Working From Home’ Policy

    This Is What To Consider For A ‘Working From Home’ Policy

    First things first: social distancing

    Not coming into the office due to illness, is a good move. Unfortunately, the stigma around calling in sick can turn some off, especially passionate staff. We as leaders need to make it clear that if staff are concerned, they can, and should stay home (and work there if they can). By setting procedures to support them while at home, we may just battle this virus yet.

    There is an uncomfortable movement happening in the corporate world right now, and it’s the lack of handshakes.

    It’s a crucial step for us all to do our part in minimising the impact of a virus. But it takes some getting used to when dealing with clients or authoritative figures. It’s these new simple, but important requirements that many are starting to pick up.

    In Europe, hugging and kissing is a standard greeting. But again, this is one of the best ways to help COVID-19 transmit from person to person. If everyone stayed at least a metre away from each other, this would help considerably.

    Globally, many events are being cancelled which can seem drastic to some, like the possible cancellation of the Tokyo Olympics. But at an Auckland concert on April 28th of February, the reason for these cancellations became clear. One man who was recently back from Italy attended the Tool concert at Spark Arena. Standing body to body with thousands of other fans, this one person may have catapulted New Zealand’s infected cases.

    Another man in Japan may have knowingly spread the virus in bars after he was told he was infected.

    Any strategy which creates distance between people, from no handshake to the cancellation of mass gathering events is classed as social distancing. No matter the situation or awkwardness you may encounter, we’re all in this together and social distancing needs to be the norm in 2020 if we’re to combat COVID-19.

    True or false?

    A) work from home policy requires all staff to test this before it is required.

    B) During an outbreak like COVID-19, all staff should work from home.

    C) Thanks to the cloud and remote technology like a laptop, Zoom, Slack and emails, it is easier than ever to work remote.

    How did you go answering these? The lesson here is to appreciate that much media hype accredits to poor direction and advice. Working from home (WFH) is more complex than simply setting up your laptop at your kitchen table. There is much to consider.

    The answers to the above are:

    A) True. But did you consider your IT systemMost IT infrastructures can’t handle 100% of staff working remotely. Testing this before it is needed gives you good insight into your organisations capabilities.

    B) False, but if your IT system can handle it, the more people that work from home the better. Staff who are critical to the operation of your organisation should be the first to work from home. Especially if no one else can step into their role and complete the same output.

    C) True, it has never been easier, but some teams will struggle to work from home, such as call centre staff, because the technology required to work from home is not necessarily available, specific phones and IT systems to record and administer calls, for example. So each team must examine its own needs and understand who can and cannot work from home and what they need to be able to.

    In our continuous monitoring of the ever-developing Novel Coronavirus (COVID-19), we’re starting to acknowledge weekly trends. This week its around working from home.

    Let’s take this article, as an example, that focuses on the individual understanding what it takes to work from home. There are some fair points in there like cleaning your home, providing adequate breaks, putting on the correct clothing to get into the right mindset.

    And although we strongly advise you to consider this option, it’s important to practice it, understand who needs to be working remotely and how your IT infrastructure will handle this. You don’t need to practice it with everyone either to get a lot of feedback.

    Leadership considerations

    If you’re part of a leadership team having conversations around a WFH policy, there are some questions to consider on behalf of your people.

    • How confident are you in your staff’s internet connection?
    • Do your staff need a VPN set up? Is this stable and ready to go?
    • Will all applications, data and systems work?
    • Do staff need extra gear at home like screens, docking stations, keyboards? (Who will transport these and how will you record inventory?)
    • Do documents need to be printed now, are they confidential?
    • Are all staff members contact details updated and accessible?

    Keeping in touch with colleagues is crucial, even if it’s you that’s at home while they still commute in. Set up regular team scrums over a video conference. Set basic agendas where necessary as you want to focus on the same type of conversations you’d have if walking around your workplace.

    Keeping sane outside of the office

    It is no lie that the treat of working outside of an office environment can ware of very fast. Being in your home from the moment you wake to the moment you sleep can have negative mental effects over prolonged periods.

    You can make this environment more comfortable and work ready by:

    • Setting up your workspace the night before (coffee, notepad, clean space, smart clothes).
    • If applicable, take the opportunity to work in your garden/outside.
    • Leave a book out you’re reading, take a break every hour and read a chapter to refresh you mind.
    • Exercise well. Put an hour block in your calendar to get out of the house for a walk or run.
    • Start your day an hour or two earlier. Without the commute, you can now finish early and get all those chores done before the family is home.

    If you are in public places at risk of becoming infected with the virus, there are ways you can prepare.

    • Wash your hands regularly with soap and water for at least 20 seconds and dry thoroughly. This is the single biggest strategy that will protect you. Always wash your hands when,
      • You have coughed or sneezed
      • You have been to the toilet
      • Prior to, and after eating
      • After touching any communal space such as an ATM or reception desk
    • Try to avoid touching your face (sounds easy but it really isn’t).
    • Always carry a small hand sanitiser.
    • Facemasks will NOT reduce your risk of contracting the virus, in fact they are counterproductive as they give you a false sense of security and mean that you are less likely to practice the important strategies that can help you. Forgot to wash your hands then removed the mask? Its purpose is now redundant.
    • Avoid public transport.
    • As above, avoid human contact altogether – no handshakes, kissing or hugging. The largest increase in infection was Valentines day this year!
    • If you’re buying lunch/food, assess whether the food is in the open (for example, some cafes have their cakes on the counter, exposed – avoid these).

    RiskLogic has now produced dozens of Pandemic Response Plans. We’re working with many new and current clients to review everything from Crisis Management Plans, to Business Continuity.

    If you’re considering using our services to help your organisation, now is the time to act as we are getting our highest increase in requests to review or write plans. 

    Start your plan today
  • The importance of Training and Exercise

    The importance of Training and Exercise

    If you follow the Business Continuity Lifecycle, (and we recommend that you do) then the professional practice of Validation is number six on the list. This implies that it’s the last phase and, in most instances, it is.

    Unfortunately, this may be the reason it often goes ignored, possibly due to budget constraints, resource or maybe a project more urgent that becomes the focus for the organisation. Regardless of the reason, it really should be the phase where most emphasis is given. You can have the best plans in the world, but if you haven’t trained and validated them and your people, you are setting yourself up for failure. ‘It’s all about the people.’

    Business Continuity Life Cycle

     

    Invest in your people

    It is essential that all individuals undertaking BC related tasks at any level have the appropriate level of competence for the role.

    For each role in the Business Continuity Management (BCM) programme, the necessary skills and desired competence levels should be identified. Individuals should then be assigned to roles according to their current level of competence and any training that needs identifying.

    The goal of a successful BC training programme should aim to make it a part of the culture and the ‘way things are done around here’. This will increase the organisation’s ability to foresee threats and respond appropriately and in a timely manner, therefore improve levels of resilience.

    Train them, then validate them

    A Business Continuity Plan (BCP) is considered a draft plan until it has been validated through a scenario exercise. This is similar to your people when it comes to their training and knowledge. Give them the opportunity to build confidence with their plans and their own capability. It’s better to do this in a safe environment while you have the opportunity – not wait until you are in a real crisis event.

    The purpose of Validation is to ensure that the BC capability reflects the nature, scale and complexity of the organisation it supports and that it is current, accurate, and complete. Validation additionally confirms that actions are taken to continually improve organisational resilience.

    It is vital to run a scenario exercise as an organisation’s BC capability cannot be considered reliable until it has been exercised.

    Each exercise within the Exercise Program needs to be carefully planned to maximise the benefits from the time expended in developing and delivering it. The following should be considered:

    • Realism
    • Exercises should feel as real as possible
    • Minimal Exposure
    • Exercises should minimise the exposure to disruption
    • Costs and benefits
    • Preparation
    • Scope, complexity and skills required
    • Participants
    • Who should be involved

    Over the past decade, RiskLogic has facilitated over 850 training sessions and scenario exercises including the MCG Anti-Terror Scenario, as reported by Sunrise on Channel 7.

    We are the industry-leading supplier to realistic and valuable exercises that encourage all teams and individuals to learn and act upon the situations we put them in.

    For more information on the importance of training and exercise, you can contact us directly for a discussion.

    info@risklogic.co.nz 

  • APRA Prudential Standards CPS 234 Information Security

    APRA Prudential Standards CPS 234 Information Security

    New cyber security requirements for financial services industry

    To combat the rising threat of cyber-attacks and ensure entities have measures in place to maintain the integrity and security of sensitive client data, the Australia Prudential Regulation Authority (APRA) has released the new Prudential Standard CPS 234 information security. The standards are in place to ensure organisations within the financial services sector develops resilience against cyber security incidents, making certain they can respond swiftly and effectively in the event of an information security breach. The Prudential Standard CPS 234 sets out a strict and comprehensive series of requirements that entities should meet to protect themselves against information security threats. It is critical that all Australian regulated entities familiarise themselves with the requirements of CPS 234 to ensure they are compliant when the standard comes into effect on July 1, 2019.

    Key takeouts

    The APRA Prudential Standards CPS234 is a Board responsibility. It requires information security related roles to be clearly defined, policy framework and plans to be in place and regularly tested.

    Entities must notify APRA of breaches to their information security within 3 days. This includes information managed for regulated entities by third parties.

    Entities have until 1 July 2019 to comply with these new standards.

    Who does CPS 234 apply to?

    CPS 234 applies to all APRA-regulated entities. These include:

    • Banks (authorised deposit-taking institutions (ADIs) including foreign ADI’s authorised under the banking act;
    • General insurers;
    • Life insurers;
    • Health Insurers.

    What are the requirements of CPS 234?

    CPS 234 required APRA-regulated entities to:

    Roles and responsibilities

    • The Board is ultimately responsible for the information security of the entity
    • The entity must have clearly defined information-security related roles and responsibilities, covering roles of the Board, senior management, governing bodies and individuals with responsibility for decision-making, approval, oversight, operations and other information security functions.

    Information Security Capability

    • The entity must maintain an information security capability commensurate to the size and extent of potential threats to its information assets.
    • Entities need to ensure third parties managing their assets also have the security capability to manage these threats.
    • The entity must actively manage its information security capability with respects to changes in vulnerabilities and threats resulting from changes to information assets or its business environment.

    Policy framework

    • The entity must have policy frameworks in place.
    • The framework must provide direction on the roles of all parties responsible for maintaining information security.

    Implementation of controls

    • The entity must have information security controls to protect its information assets, including those managed by third parties.
    • Regularly test and exercise these controls (Minimum annual testing).
    • Update controls if deficiencies are identified during testing.

    Incident management

    • The entity must maintain plans to respond to information security incidents.
    •  Response plans must include mechanisms for managing all relevant stages of an incident from detection to post-incident review
    • Plans must be tested annually and reviewed to ensure it is still for for purpose

    APRA Notification

    • The entity must notify APRA of an information security incidents no later than 72 hours after becoming aware of an incident.
    • The entity must notify APRA no later than 10 business days if a weakness within the security control is detected, which the entity expects it will not be able to re-mediate in a timely manner.

    RiskLogic has expanded services to include Cyber Consulting to help entities strengthen their cyber security controls and comply with the new standards by 1 July 2019. For further discussions, book a consultation today.

  • Pick me! How to select a team member when the talent pool is extraordinary

    Pick me! How to select a team member when the talent pool is extraordinary

    Here is a challenge, which may also test your unconscious bias.

    If you had to appoint one person to manage your crisis management or business continuity strategy, who would you go with?

    1. A former police forensic scientist who worked in INTERPOL’s Counter Terrorism and Emerging Threats Directorate, with commendations from the FBI and the US State Department.
    2. A former Australian Army officer with Honours Degrees in Biomedical Science and Biochemistry who has conducted health support operations in Australia, PNG and Bougainville.
    3. A senior risk and resilience specialist with ten years in the oil and gas industry in Canada and the Middle East, a Degree in Human Geography and Criminology and a Masters in Science, Security & Organisational Risk Management.
    4.  A certified Business Continuity Practitioner with a decade in business resilience and crisis management in the telecommunication, insurance and finance sectors, including experience in South East Asia.
    5.  A former senior Australian diplomat who has supported Australia’s crisis response to events in Iraq, Syria, Bangladesh and Nepal, including service in Australia’s Embassy in Afghanistan.
    6. An MBA qualified banking and finance executive, with 11 years across Westpac and NAB, with deep networks in boards and executives across Australia’s largest listed and private companies.

    It is such a tough decision to choose only one, right?

    The good news is, RiskLogic now has all these people on our national team, with six new appointments and promotions.

    And if you pictured six highly qualified men, think again, because all these appointments are women.
    Not only have they brought an extraordinary diversity of experience to the team, they also build on RiskLogic’s gender diversity and reinforce the value of having highly skilled women at the helm in crisis situations.

    They provide our clients with an unparalleled depth of capability and ‘lived experience’ in business continuity and crisis, incident and emergency management.

    So who are these talented women? Check out their full credentials on LinkedIn here:

    1. Dr Rebecca Hoile, our new Senior Manager, Resilience in our new Adelaide office
    2. Briony Morgan, promoted internally to Senior Manager, Resilience in our Queensland team
    3. Joanne Costa (nee Hill), promoted internally to Senior Manager, Resilience in our Victorian team
    4. Razia Namazie CBCI, AMBCI, our new Senior Manager, Resilience in the NSW team (returning to RiskLogic after previously working here in 2012-13)
    5. Jessica Petersen, our new Manager, Resilience in our Victorian team.
    6. Vanessa Jaber, our new National Client Engagement Manager

    If you need help or advice in business continuity or crisis management and want to tap into the skills and experience of these extraordinary people, start a conversation with us today.

  • 5 reasons why you should have a business continuity plan

    5 reasons why you should have a business continuity plan

    What happens if a cyber-attack shuts your systems down for days, weeks or even months? How are you going to contact your staff, stakeholders, suppliers and customers? What will be the most efficient way to get your operations back to business as usual? If you don’t have the answers this, then you don’t have a Business Continuity Plan.

    Whilst you may not be able to predict every kind of event or incident that could occur, a Business Continuity Plan will help you prepare for and recover from the most likely events or incidents you could face. The lack of a Business Continuity Plan may have severe impacts on your business operations and could affect your financial viability and reputation.

    If you’re still putting business continuity planning into the ‘too hard’ basket, here are 5 reasons why you should move it to the top of your priority list.

    1. Minimise downtime
    The primary purpose of a Business Continuity Plan is to minimise downtime. Whether you suffer from a natural disaster or a ransomware attack, the best way to stay in business is to continue business-as-usual operations as soon as possible.

    2. Continue business-as-usual operations
    Some Business Continuity Plans allow the business to continue business-as-usual operations during an incident by including back-up and recovery sites. These are off-site areas where critical business functions can operate from, regardless of damage or inaccessibility to the usual site.

    3. Communicate confidently
    In the event of an incident, you will want to establish order amongst the chaos. A Business Continuity Plan will outline a chain-of-command delegation of responsibility and outline reliable communication channels.

    4. Compliance
    Some industries require a business to have a well prepared and tested Business Continuity Plan to comply with industry regulations. Industries such as insurance may offer lower premiums for businesses with a robust plan.

    5. Your reputation matters
    When things go wrong, your shareholders, customers and the public will be watching very closely, and in the absence of information, they automatically assume the worst  The speed and effectiveness of your response could make or break your reputation.

    There’s no time like the present to prepare a Business Continuity Plan for your business or review your existing plan. If you need any help, reach out to our experienced consultants. Having helped hundreds of clients since 2005, we do know a thing or two about Business Continuity Planning, so start a conversation today.

  • Building APS910 compliance into Business Continuity Plans

    Building APS910 compliance into Business Continuity Plans

    Following the Global Financial Crisis (GFC) in 2008, the Australian Government introduced the Financial Claims Scheme (FCS) to protect depositors. The Prudential Standards APS910 – Financial Claims Scheme released in 2013 required Authorised Deposit-Taking Institutions (banks, building societies and credit unions – referred to as ADIs in this article) and general insurance companies to implement measures to ensure it is adequately prepared, should it become a declared ADI for Financial Claims Scheme (FCS) purposes.

    In recent years, APRA has conducted a range of activities designed to strenghten and facilitate improvement in ADI’s FCS operational preparedness levels. These activities comprised of prudential reviews, an FCS readiness survey and benchmarking exercises to review APS910 audit reports and CEO attestations. These observations highlighted gaps, leading APRA to make recommendations for improvement in APS210 to support further operational maturity.

    What is APS910?

    APRA Prudential Standards APS910 – Financial Claims Scheme (FCS) is an Australian Government initiative that protects depositors of authorised deposit-taking institutions and policyholders of general insurance companies, from potential loss in the unlikely event that one of these financial institutions fails. The scheme ensures that depositors do not lose their deposit, but rather be paid out by the Australian Government. Under the FCS, deposits are protected up to $250,000 per account holder at each ADI. For insurers, the Australian Government will cover up to $5000 of valid claims per policy holder. Claims above $5,000 are also covered under the FCS for eligible policyholders and certain third parties.

    If the FCS is activated by the Australian Government, APRA will be responsible for administering it within 7 calendar days. For APRA to administer the FCS within this timeframe, ADIs need to provide APRA with key details of account holders within 48 hours.

    Who does it affect?

    APS910 applies to ADIs such as banks, building societies, credit unions and general insurance companies. A comprehensive list of Authorised Deposit-Taking institutions are available on the APRA website.

    Who is ultimately responsible for APS910?

    The Board and senior management of an ADI are ultimately responsible for ensuring that appropriate policies and procedures are in place to ensure the integrity of the operations, internal controls and information required under this Prudential Standard.

    Why is it important now?

    Whilst APS910 is not new to ADIs, compliance should be reviewed following an APRA recommendation that resulted from the Banking Royal Commission. The recommendation, supported by the government, introduces the Banking Executive Accountability Regime (BEAR). The BEAR is responsible for all steps in the design, delivery and maintenance of all products offered to customers by the ADI and any necessary remediation of customers in respect of any of their products. Furthermore, updated technical questions on the Financial Claims Scheme were published on the APRA website on September 2018, indicating a focus on ADIs and their compliance.

    What do you need to do to comply*?

    APRA emphasises five major areas that ADI’s need to address in order to ensure compliance with APS910.

    1. Financial Claims Scheme Framework – ADIs should review FCS governance procedures to improve Board and senior management awareness and oversight (accountability and responsibility) as well as including FCS related components in an appropriate risk management framework. ADIs should also review and update operational FCS plans and integrate them with other relevant crisis related plans where appropriate.
    2. FCS Testing – ADIs should ensure internal FCS testing occurs, at a minimum, in line with APRA’s testing schedule. Test results – including shortcomings with FCS-related systems, processes and reporting as well as respective causes – should be documented, along with remediation plans and timeframes.
    3. Data Integrity – ADIs should thoroughly investigate and analyse FCS reporting and testing results against clearly defined tolerance levels. Timely reconciliations and checks should be performed with the generation of each report with tracking of issues, and a remediation plan linked to the risk management framework. ADIs should work to reduce exception numbers and values to acceptable levels that are within the tolerance set by the ADI.
    4. Reporting – ADIs must take steps to ensure systems have the capability to be updated to reflect account holder balances post FCS payments.
    5. FCS Communication – ADIs should examine the FCS information currently contained on their website and in PDS documents to ensure it is accurate, up-to-date and easily accessible. ADIs could also consider the positive benefits that FCS protection offers account holders and help to facilitate this messaging.

    APRA has clarified that systems capacity, communications and testing requirements are to be in line with business continuity planning arrangements. If you haven’t reviewed your compliance to APS910 and see how it can be integrated into existing Business Continuity Plans. Reach out to our experienced consultants today.

    Sources

    APRA Financial Claims Scheme
    APRA APS910
    Federal Register of Legislation
    *This section is contributed by Amy Mallick, RiskLogic Resilience specialist

  • Is your business resilient to Grey Rhinos and Black Swans?

    Is your business resilient to Grey Rhinos and Black Swans?

    The animal kingdom seems to be used more and more as a metaphor and symbol of human behaviour, both physically and psychologically. There are elephants in people’s rooms and black sheep roaming within people’s families and social groups.

    Yet in the business of risk and resilience, we find ourselves facing two other animals – the ‘Grey Rhino’ and the ‘Black Swan’. The ‘grey rhino’ is a known risk or threat that people chose not to act on despite the potential for harm. It is seen as something that is present, with a series of warnings – an event that is both highly probably yet somehow neglected.

    In business, this can translate to those things that directly or indirectly impact everyday operations and services including, outdated policies, conflicting procedures and practices and ongoing disputes.

    By comparison, the ‘black swan’ is an event that cannot be predicted, appears seemingly out of nowhere and has a profound effect across a multitude of sectors. Examples include, the 2008 Global Financial Crisis, Japan’s Tsunami and Fukushima Daiichi nuclear disaster, terrorist attacks like 9/11, and the 2019 Christchurch shootings.

    Globally, grey rhinos are being taken more seriously, with many politicians and world leaders quoted in the media, describing economic and political instabilities as ‘grey rhinos’ in the distance. The lesson we can take from this type of media exposure, is to use the opportunity to envision the grey rhino risks within our own businesses, identify the likelihood and scale of their impact and prepare adequate business recovery strategies.

    Keep in mind, protection from grey rhinos is more than just a physical one. The impact of a problem that was apparently in front of you the whole time, may have cascading consequences, impacting your business culture, brand and reputation.

    In terms of risk management resources, many have argued that one cannot dedicate time and resources to preparing for a Black Swan event, however, taking the time to identify the grey rhinos, and strengthening your resilience through crisis management and business continuity, will surely build a foundation from which you can react and recovery from a Black Swan that might land on your doorstep.

    If you want to discuss your level of resilience preparedness, contact RiskLogic to find out how.