Born To Be Wild

Category: Business Continuity

  • Maintaining business continuity in a fuel crisis

    Maintaining business continuity in a fuel crisis

    The recent drone attacks on key oil installations in Saudi Arabia highlight the risk of disruption to world oil supplies. While the damaged Abqaiq refinery produces only 5% of global fuel supplies, around 90% of Australia’s imported fuel comes from the Middle East. An extended disruption in the Middle East would impact Australia’s fuel supplies

    Multiple threats to Australia’s liquid fuel supply chain make businesses particularly vulnerable in a fuel emergency. Threats to our fuel supply include natural disasters, political instability, declining onshore refining capacity, as well as cyber and terrorist attacks. Ports receiving fuel are additionally subject to disruption from severe weather, accidents, equipment failures, industrial action and delays.

    What happens if Australia runs out of fuel?

    Disruptions to any stage of the fuel supply chain can have a significant flow-on effect to the business community. In 2015, aircraft at Melbourne Airport had to be rescheduled and refuelled at another airport due to the late arrival (by 3 days) of fuel ships1. In December 2012, when the Altona refinery was closed for scheduled maintenance and Victoria’s second refinery in Geelong was unexpectedly shut down due to electrical problems arising from a storm, many retail outlets in regional Victoria ran out of fuel quickly and were without diesel, and many Melbourne outlets were similarly affected2.

    Under the Liquid Fuel Emergency Act 1984, the Australian Government has the authority to prepare for and manage a national liquid fuel emergency. Each state and territory also has arrangements in place to deal with liquid fuel emergencies within their respective jurisdictions.

    Protecting business continuity
    The reality is, in a fuel emergency, the management of available fuel will be out of the control of individual businesses, even those who consider themselves ‘essential users’. Will your organisation be able to carry on business as usual if your staff are unable to get to work or fly out for important meetings? Does your business have the technology to carry on the business with staff working remotely?

    business continuity management plan that addresses a major fuel shortage is essential. “Fully assessing and understanding your company’s exposure to supply chain disruptions is the first step towards resilience and business continuity”, says Ben Patrick, Regional Manager at RiskLogic. “Thorough Business Impact Assessments (BIAs) will identify the dependencies within your supply chain. A detailed understanding of the associated critical business functions will form your business risk profile. In turn, appropriate strategies can be developed and tested using real-world scenarios. This is how you develop business resilience and capability in the face of a crisis.”

    Businesses in Australia are predicted to be dependent on oil until at least mid-2030, with the ever present risk of a major disruption to liquid fuel supply. Sound business continuity planning and staying informed about government fuel priorities is essential. The Department of the Environment and Energy’s Liquid Fuel Security Report – due for release in 2019, will set out the Government’s priorities for fuel usage. This report will be essential for businesses to help them understand the potential implications on Australia’s supply chain if there is a fuel crisis.

    To assess the effectiveness of your business continuity plan, or to develop a plan, contact RiskLogic to find out how.

  • APRA’s information security requirements: is your organisation prepared?

    APRA’s information security requirements: is your organisation prepared?

    With one in 10 Australian businesses reporting an internet security incident breach1, effective management of increasingly prevalent and sophisticated attacks on information is critical. Australian regulators have also begun tightening data management, cyber resilience and information security requirements with APRA’s standard CPS 234.

    The new standard, which came into force on 1 July 2019, clarifies steps organisations need to take regarding board oversight, information security controls and notification of information security incidents. For those organisations whose information assets are managed by third and related parties, the new APRA obligations will begin from 1 July 2020 (or the date on which the relevant third or related party arrangement is renewed or materially updated).

    Establishing a clear information security framework

    To be ready for 1 July 2020, regulated entities such as authorised deposit-taking institutions (ADIs), superannuation funds and health insurers (that rely heavily on external providers for information management), need to start establishing an appropriate framework now.

    ‘Assessing and reviewing the adequacy of the information management service provider is an essential first step in establishing a new or updated framework,’ says Daniel Muchow, Head of Cyber Security at RiskLogic. ‘The framework must also show clear ownership and accountability for information security tasks and functions, clearly define escalation paths and thresholds, and establish compensation measures.’

    Detecting and responding to information security incidents

    Under CPS 234, the APRA entity must also have robust mechanisms and plans to detect and respond to potential information security incidents. ‘Organisations need to be prepared for a worst-case scenario. Even the most rigorous control testing or the most sophisticated encryption protocol can be subject to attack with potential loss of information,’ says Mr Muchow.

    CPS 234 applies to all information assets, not just personal information or data. This includes software, hardware and hard and soft copies of data regardless of materiality. ‘Even if an organisation considers an asset immaterial, a cyber attacker could use this asset to compromise assets with higher levels of criticality and sensitivity,’ confirms Mr Muchow.

    Notifying APRA

    Under CPS 234, all APRA-regulated entities must notify APRA of any information security control weakness or information security incident:

    • that is material, or
    • has been notified to any other Australian or foreign regulator.

    This is required even where information assets are being managed by a third party.

    The APRA regulated entity must notify an information security incident to APRA within 72 hours after the APRA entity becomes aware of the relevant incident or vulnerability. This reporting obligation reinforces the importance of rigorous protocols when working with third parties to ensure information security incidents are communicated to the contracting organisation in a timely way.

    Following the Financial Services Royal Commission of 2018, we anticipate that APRA will rigorously enforce the new standard. Organisations using third party providers will need to be particularly vigilant to ensure there is a clear framework to enable compliance with APRA’s new standard.

    For help protecting your information under APRA’s CPS 234, contact RiskLogic on 1300 731 138 today.

    Visit the APRA website for more information on CPS 234.

  • Don’t shoot the canary in your coalmine

    Don’t shoot the canary in your coalmine

    Some people grumble that the advent of social media has increased the risk of bad publicity for businesses because it only takes one grumpy customer with a smart phone and an Instagram following to create a damaging pile on.

    While this is true to an extent, it ignores one of the major benefits of social media.

    That is, complaints, negative comments and bad reviews on social media are free market research for businesses who may otherwise be oblivious to problems at customer level.

    Twitter’s little blue bird really should be bright yellow, because it is like a canary in a coal mine. It is very easy for businesses to monitor the canary, identify emerging problems and fix them before they become costly.

    So if a canary in your coal mine starts tweeting negatively, don’t complain about unfair damage to your brand reputation. Instead, listen, be grateful and do something about it before it explodes and turns into a communication nightmare.

    What if the complaint is totally unfounded or unreasonable? Well, some battles just aren’t worth fighting. You should respond respectfully, demonstrate your great track record, bust any myths and move on with your day.

    And don’t forget what it was like in the “old days” when you were 100% beholden to the traditional media in a crisis. After a lengthy media conference, you would hope and pray that the media used just one grab to tell your side of the story.

    Don’t get me wrong, traditional media is still very important and powerful, but social media allows you to communicate to your stakeholders directly, in full and unfiltered.

    You just have to make sure your message is transparent, authentic and relevant to those at the coalface.

    For a well prepared response, you’ll do well to include social media into your crisis communications plan – being prepared means you’ll hit the ground running when a crisis hits. If you need help with your communication strategy or communication plan, start a conversation if our team today.

  • Bushfire haze an emerging threat to Business Continuity

    Bushfire haze an emerging threat to Business Continuity

    Australia is no stranger to bushfires, but November saw the worst series of bushfire events occur across multiple states, with many still burning. The impact of those directly affected individuals, communities and the environment has been enormous – with loss of life, hundreds of homes, livestock and livelihoods. Yet, the depth and breadth of these fires extends far greater, with the impact being felt by many people and businesses located far from the fires.

    How has the bushfire haze threatened businesses and why do we need to consider business continuity?

    Several fires have impacted the farming communities with significant loss of animal stock and crops, as well as feed stocks, resulting in decreased supply, increased prices and loss of jobs locally and further along the supply chain.

    While not all areas were primarily impacted by fire, the recent declaration of catastrophic conditions saw the closure of more than 600 schools in New South Wales and Queensland, and 100 in South Australia. This led to reduced staff across other local businesses as parents managed childcare arrangements, with others activated across several community and volunteer service agencies – leading to a real threat in an organisation’s business continuity.

    Air quality at hazardous levels

    Images of the resulting smoke haze has been streamed across the globe. Our highly regarded clean, fresh air now rank 12 times above hazardous levels. For Sydney, it’s the worst air quality index (AQI) ever experienced. This has had obvious health impacts such as increased breathing-related problems with health authorities urging people to stay indoors and restrict outdoor activities –  including outdoor occupations. Some businesses have seen a significant increase in sick leave, have been forced to reduce opening hours or been unable to continue outdoor operations.

    In addition, the impact of the fires and the smoke haze does nothing to welcome tourists to our major cities and parklands over the coming, commercially profitable, Christmas/New Year break, with many hotels and event organisers reporting record reductions in bookings.

    While we may not know the true impact of these fires on our environment, communities and businesses for many months, what we do know is that the ‘heart’ of the Bushfire season hasn’t even started, with January and February set to be hot and dry.

    Business will continue to be impacted, some industries more than others. So, take time now to identify and define a clear business continuity plan in preparation for what is predicted to be a tough summer ahead.

  • Integrating Fatigue Management programs into Business Continuity

    Integrating Fatigue Management programs into Business Continuity

    The increase in 24 hour business operations and longer work shifts has highlighted the need for effective fatigue management strategies. Research has shown that fatigue can have significant impacts on a business including:

    • Reduced productivity (through impaired performance, errors, etc.)
    • Increased accidents (15–20% of accidents in transport operations are related to fatigue, surpassing that of alcohol or drug-related incidents)
    • Increased personnel costs (e.g. lost time, absenteeism)

    In addition, fatigue has significant personal costs to employees including contributing to health problems such as gastrointestinal and cardiovascular disorders as well as the disruption of family and social life.

    The importance of fatigue management programs is reflected in the increasing number of legislated requirements and industry guidelines that have appeared both locally and internationally. Within Australia, regulations governing work and break schedules have been in place for many years within the trucking industry.  Similar regulations or guidelines exist for other industries including rail, oil and gas and mining.

    What is Fatigue?

    Fatigue is an acute or ongoing state of tiredness that affects employee performance, safety and health. Fatigue is cumulative – it builds up, leading to a progressive loss of alertness that ultimately causes the person to fall asleep.

    The effects of fatigue include: 

    • Loss of alertness – Loss of alertness is an early sign of fatigue and may include minor memory lapses or difficulty in operating equipment safety.
    • Poor judgement – Fatigue affects the ability to think clearly and to make safety-related decisions.  The problem is compounded by the fact that someone who is very fatigued may underestimate how fatigued they are.
    • Mood change – Fatigued can cause irritability, agitation and the tendency to overreact to issues that arise.
    • Drowsiness – When drowsy, a person may experience “microsleeps’ of   3 to 5 seconds. This can be critical if operating heavy machinery or travelling at high speeds. Eventually, this drowsiness can lead to the person falling asleep.

    Causes of Fatigue

    There are several factors that contribute to fatigue. These include:

    Disruption of circadian rhythms

    The body has natural or ‘circadian’ rhythms that are repeated approximately every 24 hours. These rhythms regulate sleeping patterns, body temperature, hormone levels, digestion and many other functions. When these rhythms become ‘out of sync’ due to factors such as different sleeping or eating times or even changes in the exposure to light, fatigue can result. A common example of this is jet lag.

    Sleep factors

    The amount and quality of sleep is critical to preventing fatigue. People who do not have enough sleep will incur a ‘sleep debt’. This sleep debt is cumulative and will continue to build up if there is insufficient sleep.

    The quality of the sleep is also important. Poor sleep quality is a common problem for those on shift-work since it is often difficult to attain restful sleep during the day or if there is considerable noise.

    Health factors

    Many health factors and lifestyle choices contribute to fatigue. For instance, individuals with sleep apnoea (a breathing obstruction during sleep that causes oxygen starvation) do not get enough sleep because they wake frequently during the night. Other health conditions such as diabetes and obesity can also contribute to fatigue as can alcohol, a poor diet, poor physical fitness and the side effects of some medications.

    Work factors

    Work factors can be a major contributor to fatigue. Two common examples are long or excessive hours and inflexible deadlines.

    Integrating fatigue management programs into business continuity

    A risk management approach should be taken when including a fatigue management program into your business continuity planning. The approach may include these key steps:

    • Identifying the hazard
    • Assessing the risks
    • Controlling the risks
    • Monitoring the effectiveness of the program

    Risk management steps application to fatigue management: 

    Identify the hazard

    • Identify all jobs that are at risk of excessive fatigue
    • Identify who may be affected
    • Identify the causes of fatigue

    Assess the risks

    • Identify the potential consequences of fatigue in the selected jobs.
    • Determine the likelihood of an incident.
    • Assess the level of risk using a risk rating matrix.

    Controlling the risks

    • Determine the improvements required to reduce the risk to an acceptable level.

    Monitor effectiveness

    • Implement a system for reporting fatigue related problems.
    • Monitor any alterations to shift-work schedules and/or work conditions.
    • Periodically review the effectiveness of your control measures and the overall program effectiveness.

    Controlling fatigue

    Controlling fatigue in the workplace ideally involves a number of different approaches that provide several protective ‘barriers’. This may include:

    1. Ensure adequate staffing levels: As a first step, it is important to ensure that adequate staffing levels have been set in order to enable control over other factors such shift length, amount of overtime and the average time off duty.
    2. Shift scheduling: In addition to mandatory limits that may exist for shift lengths and rest periods, optimal shift schedules require consideration of issues such as shift structure (eg. permanent or rotating shifts), shift patterns (eg. fast versus slow rotation of shifts) and rest breaks during and between shifts. Shift schedules should also account for factors such as the employee’s commuting time to and from work, employees swapping shifts or overtime assignments. This is best addressed by using fatigue risk models to assess actual (rather than planned) work-rest patterns and to place limits on the number of consecutive working hours or the number of days worked in a row.
    3. Employee fatigue training & sleep disorder management: It is also important to educate employees on the causes of fatigue and the ways that they can manage their personal fatigue risk. This includes coping with shift-work lifestyle issues and understanding health conditions that may affect the quality of sleep.
    4. Workplace environment design: Changes in the workplace can also assist in overcoming reduced alertness caused by out of sync circadian rhythms or inadequate sleep. Changes in environmental factors such as the lighting intensity, sound levels, temperature and humidity can be helpful in this regard.
    5. Alertness monitoring & fitness for duty: A final line of defence is to put measures in place that identify employees who are not suitable for work. Technologies such as alertness monitors and fitness for duty tests are options that can be considered for this purpose.

    By taking a systematic approach to fatigue management by including these risks into business continuity plans, companies can minimise fatigue-related incidents while improving employee well being and ensuring compliance with OHS regulations and best practices.

  • A Trigger for Business Continuity

    A Trigger for Business Continuity

    The 2019 novel Coronavirus (or 2019-nCOV) – first detected in Wuhan, China in December, has quickly spread globally with reports of suspected cases of coronavirus in Australia, US and the Philippines. The same province in China saw the origins of severe acute respiratory syndrome (SARS), and is a region considered globally as high risk, regarding emerging infectious diseases (EID).

    Many factors contribute to the emergence of novel viruses; overcrowding, loss of animal habitats, close human / animal cohabitation and climate change, with rapidly mutating viruses more common among emerging pathogens. As climate change and its impacts are amongst the top 3 global risks to businesses, an outbreak may be a trigger for business continuity.

    Source of the Coronavirus

    Health authorities are still working out the source of this new virus. A likely zoonotic disease, it was first thought to originate from a seafood and live animal market in Wuhan, China. Human-to-human transmission has since been confirmed. Although the virulence of this virus is not considered severe, its spread geographically, has been fuelled by the increase in travel due to the Luna New Year celebrations.

    The World Health Organisation (WHO) has issued a number of statements over recent days, reinforcing the need for on-going active monitoring and preparedness in affected and other countries. WHO has issued guidance on how to detect and treat persons ill with coronavirus.

    It is great to see that the regional laboratories were able to generate an in-house PCR test (genetic test) so quickly. By doing so, they have allowed other countries like Australia to follow suit, with a recent suspected case in Brisbane, the first to be tested.

    Incorporating an outbreak response into your business continuity planning

    The WHO Director will continue to monitor the event through the activation of its incident management system at country, regional and headquarters levels. At this point in time, the IHR Emergency Committee has not declared the event a public health emergency but will reassess regularly.

    The Australian Government Department of Health has released an information page and will activate biosecurity measures at the borders.

    The emergence of 2019 novel coronavirus  is a timely reminder of the unpredictable nature of infectious disease outbreaks and the ease at which they can spread in a world that is hyper-connected, both at the human and animal level. The impacts of an outbreak and potential human pandemic can include loss of staff, reduction in processes, loss of revenue and human and animal travel restrictions. The key to tackling such a threat is rapid identification, good hygiene practices and infection control, at our borders, hospitals, workplaces and homes.

    Further to that, is the need to improve business continuity plans to include identified strategies for dealing with these potential impacts. Raising awareness of outbreak prevention and business resumption strategies, will strengthen your ability to remain flexible and adapt to such a threat.

  • Integrated Business Continuity Plans: Tackling Cyber Risk Head-on

    Integrated Business Continuity Plans: Tackling Cyber Risk Head-on

    Cyber risk is one of the biggest concerns facing organisations today. The effects of a cyber attack or data breach can be felt throughout the entire organisation with far-reaching ramifications for customers and staff. This is no longer just an IT concern – it’s everybody’s business.

    “It’s critical that business continuity professionals incorporate cyber threats in their business continuity planning, along with the traditional threats such as severe weather or supply-chain disruptions,” says Simon Petie, Regional Manager at RiskLogic. ‘But rather than having two separate response models – one for IT and one for the business continuity team – IT’s response needs to be integrated into the existing business continuity structure . This integration has the added benefit of giving IT an insight into the potential impact to the business as a whole.”

    Potential cyber attacks

    Cyber attacks are constantly changing and attackers are finding new ways to breach defences. Such attacks can wreak havoc in an organisation causing reputational damage as a result of compromised personal or financial information, loss of productivity and decreased revenue. In some cases, it can even shut down operations or put an organisation out of business entirely.

    “An organisation’s response must be tailored to different cyber threats,” confirms Daniel Muchow, Head of Cyber Security at RiskLogic. “The plan also needs to highlight what activities are to be performed by IT and define specific communication points between IT and leadership. This could include periodic situation updates as well as advising on response options. In a cyber crisis, it’s critical that designated IT personnel, as subject matter experts, have the power to authorise actions as necessary.’”

    Updating the business impact analysis

    Keeping the business impact analysis up to date to ensure it identifies all critical IT processes, data and locations is also important. If there is a network failure, plans must be in place for secure access alternatives. Like other disaster responses, backup systems also need to be regularly tested.

    Today, information technology is woven into the very fabric of organisations. When the IT department is able to work seamlessly with business continuity leaders through an integrated business continuity plan, organisations can respond quickly and appropriately to a cyber attack. Costs will be minimised, data better protected and reputational damage effectively controlled.

    For help integrating Cyber Security risk control with your business continuity plan, contact RiskLogic on 1300 731 138 today.

  • Learning Resilient Leadership: Putting leaders ‘in the box’

    Learning Resilient Leadership: Putting leaders ‘in the box’

    Resilient Leadership has become one of the top searched business queries on YouTube (the world’s second largest search engine).

    Recently I was consulting a large business on Incident Management and understanding resilient leadership. We worked on their overall framework for managing incidents, and then produced a beautiful array of nested documents to show how ready the company was to manage incidents. But then came the interesting part; the validation.

    What I found was that the company was quite concerned about the exercise and scenario methodology.

    In fact, we spent a number of meetings going into specific detail regarding the scenario that was to be tested, the key leader (and CMT lead), who we were conducting the work with, wanted to be fully briefed on the scenario and to be part of the staff administrating the exercise.

    Having queried this type of approach with other consultants, it seems that this is not an uncommon occurrence.

    So, what’s the problem here? 

    Applying the most basic military or sporting mindset to this story reminds me of the adage ‘train as you wish to fight’. The issue in the anecdote above is not that the leader wanted to ensure the exercise met the required goals or milestones to satisfy internal, higher or external entities, but more the absence of actual leadership due to a fear of failure.

    To internally monologue this type of leader;

    Of course I would like to be involved in this scenario, but deep down I don’t want to look like I don’t know what I’m doing. I don’t want to worry my team about my capacity to perform under pressure. I’ll find a solid excuse such as oversight of the exercisers or the need to accurately assess the response teams. In fact, I’ll most likely convince myself so much that I wouldn’t even have considered myself in the first place.

    The term ‘in the box’ is a phrase used to describe people being exercised under test conditions. If you are ‘in the box’ you are being tested.

    So, should a leader go ‘in the box’ with their team? Even in situations where they may have to pass supervisory or exercising duties to others (maybe even a junior). Should they step into the box when they know their deficiencies are likely to be seen? Should they step into the box knowing they may fail?

    I was a commander of a Special Forces Task Unit in the Irish Defence Forces. This unit has an extremely rigorous selection process with less than 1% membership of the entire Defence Forces.

    During my time as a leader within this organisation, I failed multiple times. I failed in front of my teams. Sometimes, I felt like I had made a fool of myself.

    On one occasion during a physical competition on an obstacle course, I couldn’t scale a wall. Everyone else in my sub-unit could without any support. My technique and strength let me down and I was so embarrassed that I eventually had to get assistance to scale it. How could I ever ask of them what I could not do myself?

    It hurt tremendously, and there was nothing I could do to change that moment. But I could and would do two things;

    1) I found a weakness and therefore could fix it. I would train and train to ensure I could scale the wall. I trained during the weekends, springing up my house perimeter wall, over and over.

    2) Most importantly, I didn’t hide from the fact that I was below standard and didn’t hide from future tests of my capability.

    Standards are standards, and any test is exactly that, a test against a standard (even if only self-assessed). If I don’t test myself with my team:

    • Then I won’t know where I’m weak.
    • I might dangerously presume that I’m at the standard.
    • How would I ever know how I will go as a leader when ‘it’ happens for real?
    • How will we work under pressure if ‘for real’ is our first time?
    • How will they have confidence in me as having done the same as them, having shown my weaknesses, and then shown the leadership to remediate my weaknesses?
    • Then how would it be fair of me to appraise my team on their performance?

    In answer to the question should a leader go ‘in the box’? – the answer (albeit without individual context) should be YES by default.

    In my experience, the best leaders don’t just go ‘in the box’, they crave the opportunity to get in the box with their team, to give it a crack, to fail together (if they have to) and then learn and repeat the test.

    The best leaders in my experience dislike sitting outside the box while their team is in it. They make the time to get into the box. They cancel other plans to show how important it is.

    Everyone squirms at the thought of assessment. No-one likes to be caught off-guard in front of their team.

    But in my experience, while the short-term effect of mucking up during a blind exercise will feel like a complete failure of your leadership, the long-term personal leadership and group dynamic gains far outweigh the embarrassment and incompetence.

    If you rate your team then you will know they will admire your honesty of effort, over your ability to nail a debrief from the sidelines. Remember, this is training, where the entire idea is to learn from it, and your mistakes are always the best learned lessons.

    So, as a leader:

    • Step into the box. It may sting a little, but you and your team will be stronger for it.
    • Step into the box with facilitators who understand this concept, who have been in the box and who appreciate the challenge.
    • Do it with those you trust, both to challenge you (because you will then learn) and who will protect you (with their experienced ability to read live exercise direction).

    Because a real incident or crisis is not the time to begin your learning – it’s the time to do it and do it well.

  • Thinking About Embedding Organisational Resilience

    Thinking About Embedding Organisational Resilience

    To succeed in these uncertain times, strengthening organisational resilience has never been more important.

    Last year was a wake-up call for all of us, and to thrive in the coming decade, organisational resilience must be developed and the ability to withstand unpredictable threat or change, to then emerge stronger.

    The world is undergoing increasingly fast and unprecedented change. Catastrophic events will grow more frequent but less predictably. They will unfold faster but in more varied ways. The digital and technology revolution, climate change, and geopolitical uncertainty will all play major roles. Here is how.

    Technology & Digital Revolution

    The digital revolution has increased the availability of data, the amount of connectivity, and the pace at which decisions are made. This offers transformational promise but also comes with potential for large-scale failure and security breaches together with rapid cascading of consequences. It also increases the speed at which a company’s reputation can change in the eyes of consumers and employees.

    Climate Change

    The changing climate presents structural shifts to companies’ risk-return profiles, which will accelerate in a non-linear fashion. Organisations need to navigate concerns for their immediate bottom line together with pressures from governments, investors, and society at large. All this while natural disasters are growing more frequent and severe.

    Geopolitical Uncertainty

    An uncertain geopolitical future provides the backdrop. The world is more interconnected than ever before – from supply chains to travel, to the flow of information and how it’s digested. But these connections are under threat, and most organisations have not designed their role in the global system for robustness to keep functioning smoothly, even if connections are abruptly cut.

    In today’s world, where the future is uncertain and change comes fast, organisations need to look beyond short-term performance and basic organisational health. They must be able to not only withstand unpredictable threats, or change, but to emerge stronger. In short, there must be significant resilience.

    Starting to embed resilience

    Traditionally, to stave off disaster, organisations have put in place business continuity plans to respond to a list of potential threats—hurricanes, server outages, cyber-attacks etc. They have tended to include a dose of conservatism in a single-scenario planning approach. This approach is outdated.

    Businesses should strive as much as possible to embed resilience in the way they work, in a way that makes them better in normal times, not just in the face of unpredictable threat or change.

    To get started in building resilience for the years ahead, companies can take three steps:

    1. Understand how resilient your organisation is today.
    2. Determine what your organisation needs to be resilient in the future.
    3. Design your approach to developing and maintaining the resilience your organisation needs.

    Companies that understand the resilience they need for the future can implement sensible change.

    In case of vulnerabilities, this may mean transforming in ways big or small to enhance resilience directly. But, most importantly, firms should look to build resilience into any transformation they undertake, regardless of the primary goals—from digital to growth to cost.

    This yields more robust change and helps you bake in resilience from the outset.

  • How Business Continuity Can Help SME’s to Multinationals

    How Business Continuity Can Help SME’s to Multinationals

    The idea or concept of Business Continuity or a Business Continuity Plan is often seen by small to medium-sized businesses as not important or relevant to them; they’re just a small fish in a big bond and these global disasters are likely to have a bigger affect on the FTSE 500 than them.

    The truth is, even the biggest businesses have neglected their plans during the pandemic.

    If we think about disruptions that have occurred across the last year, a lot of them have been widespread and impacted businesses of all sizes. But perhaps for the first time, there is an opportunity for small businesses to utilise best practice, and start adopting a resilient culture now.

    From large multinational corporations, right down to the small family-owned businesses, everyone has been affected. It’s easy to focus on the big disruptions, but every day businesses are subjected to yet another disruption from cyber-attacks, system outages, supply chain issues, or even a burst pipe running out into the office.

    Some of these disruptions stand alone and are faced on top of the major disruptions we’re dealing with, such as losing access to email systems, or access to seeing the team face to face again.

    These are flow-on effects from our major disruptions such as; needing to wait for telecommunication networks to be rebuilt after bushfires destroy the infrastructure, or needing to repair supply chains after they are thrown into disarray from border closures.

    I was once being trained on a new system and the question was asked “what happens when this fails?” This was met with some pretty bold statements such as “at our organisation, we don’t have system failures” and “Telstra is more likely to fail than our system”.

    Sure enough, a couple of weeks after the system was launched there was an outage that lasted a few hours but affected many of our customers, leaving teams to try and figure out workarounds.

    Business Continuity Plans aren’t a one size fits all product. The same style of plan that suits global corporations isn’t going to work for smaller businesses, however we’re seeing the evidence this year that disruptions don’t discriminate, they can hit organisations of all shapes and sizes. Fortunately, plans can also be shaped to organisations of all sizes.

    At RiskLogic, one of our smallest clients (in terms of staff) holds four people. They service a global audience in the tens of thousands. So, the argument could be made that their internal structure is so small, they can manage it in an agile, in-house format. Despite that assumption, this client’s plan is comprehensive and has been well tested and used during the supply chain disruptions of COVID-19.

    In the big scheme of things, it’s so easy to underestimate the value of Business Continuity. I had a mentor tell me

    Business Continuity Plans are the tools required to help businesses collect resilient procedures, but they end collecting dust instead.

    But it can be so much more than that. It can help those small businesses thrive through what is likely their toughest battle. It helps large corporates stay on top of what their stakeholders expect of them.

    Business Continuity should be and can be used by all, so start yours today!