Born To Be Wild

Blog

Crisis Communications: The Fundamental Guide
In today’s world, almost any type of crisis can happen. From a data breach to a natural disaster, companies need to be prepared for every eventuality. This fundamental guide provides you with essential information on what is and how to create & execute a crisis communications plan. By following these simple steps, you can minimize the damage caused by a crisis and protect your company’s reputation.

Table of Contents:

What is crisis communications and why do you need it?

The four steps of effective crisis communication

How to create a crisis communication plan

What to avoid for effective crisis communication
What are crisis communications and why do you need it?

Crisis communications is a facet of the overarching business continuity management strategy. It is the establishment and application of guidelines that guide an organisation on how to communicate effectively in the event of a crisis. The strategy involves anticipating potential risks, preparing responses in advance, establishing communication channels, and executing a quick and effective response when a crisis occurs.

Crisis communications isn’t merely about managing the flow of information in the throes of a precarious situation. It also encompasses post-crisis communication to ensure that stakeholders’ trust remains intact, and the organisation’s reputation is rehabilitated efficaciously.

The importance of robust crisis communications cannot be overstated. Given the volatile business environment we operate in, punctuated with unforeseen occurrences such as natural disasters, cyber-attacks, pandemic disruptions, and more, the question is not ‘if’ but ‘when’ a crisis will strike.

Having a proficient crisis communications strategy ensures your company can manage any critical incident in the following ways:
1. Information Control: It allows you to control the narrative around your brand, presenting accurate information in a timely manner and preventing the spread of rumours or misinformation.
1. Stakeholder Confidence: Transparent communication during a crisis can maintain or rebuild stakeholder confidence and trust. Stakeholders include not just your clients, but staff, shareholders, suppliers, and the wider community.
1. Operational Continuity: Prompt and effective communication can facilitate business operations to resume quickly or continue with minimal disruptions during a crisis.
1. Reputation Protection: Crucially, it aids in protecting your organisation’s reputation, an invaluable asset in today’s hyper-visible, interconnected world.
In essence, crisis communications are a fundamental aspect of any organisation’s risk management strategy in today’s vastly unpredictable business environment. Establishing proficient crisis communication protocols can control the information, ensure stakeholder confidence, enable operational continuity, and most importantly, protect your organisation’s reputation.

Done right, it’s more than merely staying afloat during testing times; it’s about rising with resilience, ready for future challenges.

The four steps of effective crisis communication

Navigating the turbulent waters of a crisis requires more than just a hastily constructed response; it necessitates a carefully devised strategic plan that encompasses the following four steps:
1. Preparation: One of the most crucial steps in effective crisis communication is adequate preparation. Develop a crisis communication plan that identifies potential risk scenarios, key stakeholders, necessary communication channels and roles, and responsibilities of the team members. Incorporating regular drills or simulations into your preparation routine aids in better understanding of the plan and helps identify any potential loopholes.
1. Response: The response phase is when the rubber meets the road; it’s the immediate actions and communications following the onset of a crisis. Rapid, transparent, and consistent communication is crucial here. Not only must your organisation provide timely updates to stakeholders, but also empathetically acknowledge the impact of the crisis and outline steps being taken to mitigate it.
1. Management: This phase involves continual engagement with stakeholders, managing media interactions, and updating crisis communication based on the evolving situation. Actively listen to stakeholders’ concerns and be responsive in addressing them. There could be unexpected developments; hence, the ability to adapt and modify your communication in line with changing circumstances is vital.
1. Recovery: Once the immediate crisis is under control, the recovery phase commences. This phase focuses on repairing any potential damage to your organisation’s reputation, restoring trust among stakeholders, and conducting a post-crisis evaluation. This evaluation facilitates learning from the crisis, refining your processes, and better preparing for future incidents.
While these steps provide a roadmap to navigate the crisis communication terrain, being mindful of the nuances of your specific crisis, audiences, and communication channels will make this roadmap purposeful and pertinent to protecting your company’s interest. With these foundational steps, your organisation is set to tackle any crisis with resilience and poise.

How to create a crisis communication plan
- Understand your Audience: The first step is to know who you are communicating with. Recognising your stakeholders or audience, including clients, employees, or shareholders, will enable you to tailor-compelling messages that address their concerns appropriately.
- Specify your Communication Team: Identify a team that will be responsible for communicating during a crisis. This team should involve skilled personnel or leaders who preferably possess strong communication skills and understand your business operations well. Their role involves managing all forms of communication throughout the crisis to ensure consistency and clarity.
- Conduct a Risk Assessment: Evaluate potential crises that your company might face and focus on the ones most likely to happen based on your industry’s vulnerabilities and historical trends. Whether it’s an operational failure, a cyber-attack, or a natural disaster, understanding these risks helps in effective preparation.
- Create Your Key Messages: One thing a crisis doesn’t afford is time. Therefore, having preset messages for different risk scenarios can be a lifesaver. Tailoring your communication and resonating with your stakeholders’ sentiment is the key to ensuring their unwavering support during challenging times.
- Choose your Communication Channels: Depending upon your stakeholders, your choice of communication channels may vary. It could range from press releases, social media, newsletters, emails, or an internal communication system. A variety of channels ensures your message reaches a broader audience promptly.
- Implement Regular Training and Exercises: Having a crisis communication plan on paper is not enough. Regular training and exercising of the plan are crucial in preparing your teams to respond swiftly and skilfully when a crisis hits.
- Review and Improvement: A crisis communication plan is not a static document. It evolves as businesses grow, environments change, or new threats emerge. Regular reviewing and improving of your plan ensures your organisation remains at the forefront of crisis readiness.
Tips for managing a crisis
- Maintain Open Communication: Transparency is vital in a crisis. Ensure you maintain open lines of communication with all stakeholders. Whether it’s employees, customers, or investors, providing factual information about the crisis and how it’s being managed helps build trust and reduces misinformation.
- Mobilise Your Crisis Management Team: As soon as a crisis hits, mobilise your crisis management team. This team should initiate the implementation of the crisis response plan, manage internal and external communications, and oversee the procedure until the situation is resolved.
- Prioritise Issues: Understand that not all problems can be addressed immediately. Prioritise the issues at hand based on their urgency and impact on operations. This facilitates a systematic approach towards problem-solving and helps mitigate risks effectively.
- Show Compassion: During a crisis, don’t forget the human element. Whether it’s an internal issue affecting staff or an external concern impacting customers, being compassionate helps your organisation maintain relationships and convey empathy.
- Monitor the Situation: Stay updated on the progression of the crisis. This could involve tracking media coverage, engaging with stakeholders, or assessing the impact of the crisis on various aspects of the business.
- Debrief and Learn: Once the immediate threat has passed, take time to debrief. Identify what worked well, where the gaps were, and how you can improve the process for the future. Incorporating these learnings into your crisis management plan will bolster your readiness for future crises.
Remember that no crises are the same, and thus, your response must be flexible and adaptable. At RiskLogic, we offer bespoke strategies to arm your organisation with the expertise and knowledge needed to manage a crisis efficiently. With our help, you can turn a crisis into an opportunity for growth and resilience.

Learn more about our crisis communications solutions

Contact us for more information
July 14, 2023
Incident Management: The Fundamental Guide
What is incident management and why is it important for businesses and organisations of all sizes?

Critical incidents are unplanned events that pose potential harm to members of crowded places – when these crowds are associated to your own business or organisation, these incidents can also inflict harm on your operations, reputation, and public perception.

Incident management is a set of procedures that help you manage the outcomes by accommodating all possible scenarios of potential harm. Effective programs of incident management are sure to integrate with preparations from local authorities, regulators, combat agencies, and should be aligned with best practice guidelines established by the department of Home Affairs or similar.

Incident management is extremely important to organisations and businesses of any size because without it, any number of potentially harmful scenarios can occur without any recovery strategies in place. In this day and age, where public perception plays such an important role to business success, ensuring that you can mitigate any effects these unplanned events have on your business are vital to your success.

For example, visitor harm from over-congestion in a venue is a very likely scenario that can occur despite your best effects to the contrary. By having an incident management plan in place to deal with such a scenario, you maintain your reputation whilst also saving time and money through effective and efficient planning.

The fundamental steps of incident management

Strong incident management planning consists of the following 4 stages:

Incident Planning

The foundation for your incident management procedures is in analysing and reviewing your existing resilience programs to assess your level of preparedness and compliance for an incident. These reviews must be done with legislation, best practice standard or benchmarks in mind.

Once a review has been completed which would include documentation reviews, workshops, interviews and physical site visits, a final report containing the gaps in your incident management planning would be produced. This report would not only highlight gaps in your incident management, but also provide recommendations for how to improve your preparedness.

The review of your current situation is only the start through – next you need to prepare yourself for the future. Incident planning activities in this stage include activating your incident team to be ready to respond effectively, developing assessment tools you can use yourself, developing action plans & setting in place communications procedures to mitigate the effects of incidents whenever they occur.

Leadership Training

Once your initial review and planning are complete, its imperative that your incident response team members are trained to respond effectively and efficiently. Typically, incident management training will consist of the following units:

Incident fundamentals

Incident assessments

Communications training

Organisational toolsets

At RiskLogic, our incident management training is tailored to all team members in your organisation and can be completed in-person or online depending on your organisations needs. Our course content is developed in house by resilience experts and is unique to your own organisation whilst keeping relevant to current world events. It’s world class training.

Scenario Exercising

Training is only part of the overall puzzle to incident management planning. Once your team members feel they are ready to put their training to the test, it’s time to begin scenario exercising their skillsets.

Rehearsing your incident management plans via realistic, hands-on scenario exercises is critical in preparing your team members for any potential real-world scenarios. Scenario exercises help build familiarisation with staff roles, responsibilities, processes, tools available, tension levels and will help you identify gaps in your planning.

The best scenario exercises focus on the following aspects:

Planning

Establishment

Facilitation

Completion

Continual Improvement

Now that your plans are in your place, your incident response team has been trained, and you have identified any gaps in your planning through scenario exercises, it is time to maintain your readiness & continue to improve it.

The first step to achieving this is developing a final version of the incident management plan for your organisation, containing all the improvements that have been made since step one of this process. This final plan will also include some extra elements including:

Incident assessments

Command centre establishment checklist & control structures

Role cards for reach role & communication plans

Incident escalation and response checklists

Impact assessment tools

People management plans

Integration with resilience plans and other agency plans

Once your final plan is ready, your organisation will have reached new levels of confidence, readiness & resilience in the face of unprecedented incident events.

The different types of incidents that can occur at any time

There are an almost immeasurable number of types of incidents that can occur, due to the nature of them being any unprecedented event that can cause harm in a crowded setting. Some better-known examples of these incidents include:

Slipping and tripping due to inadequately lit areas or poorly maintained surfaces

Collapse of a structure, such as a fence or a barrier

People being pushed against objects or any other sort of crushing between people

Crowd movements being obstructed due to mass movements of groups of people

Stampedes and trampling underfoot occurring due to panic

Aggressive behaviour between two members of the crowd

Not only are there multiple types of incidents to account for, but the type of crowd which you are dealing with also plays a large factor in what kinds of incidents to prepare for. The types of crowds to look out for include:

Panicked crowds

Activist crowds

Expressive or motivated crowds

Commuter crowds

Tourist crowds

Crowds can also change their type dynamically and without warning – so maintaining a constant level of attention on the situation is paramount in maintaining your preparedness.
How to get started with Incident Management Planning

Incident management planning can certainly seem overwhelming at first. However, at its core it is the practice of planning, training, exercising & continuously improving toward resilience & preparedness in the event of unforeseen harmful events.

At RiskLogic, our team of experts have been delivering world-class incident management services for over 15 years. We’ve worked across multiple industries including education, governments, transportation & more – helping any organisation ensure they are ready when an incident strikes.

If you enjoyed this article and want to learn more, be sure to click the contact button below to speak with one of our team members about your organisation today.

Learn more about our business continuity services

Contact us for more information
July 14, 2023
5 Ways Organisations Can Improve Their Business Continuity
Having a business continuity plan in place is essential for any company that wants to ensure the longevity of their business. Business continuity management helps to ensure a company can respond and adapt to any potential disruptions or disasters that may occur. Without proper planning, a company’s operations and processes could be significantly impacted, leading to costly disruptions or worse.

At RiskLogic, we understand the importance of having a comprehensive business continuity plan in place. Our team of experts works with world-class brands to create customized plans that help them reduce risks, improve preparedness, and create resilience.

Based on our experience, we wanted to provide others with our top tips to ensuring continuity in emergencies. Here are five ways organisations can improve their business continuity plans:
1. Identify risks and prioritize them to improve Business Continuity
Before you can create an effective business continuity plan, you need to identify potential risks and prioritize them based on their potential impact. By understanding the risks you face, you can be better prepared and create a plan that is tailored to your company’s needs.

Risks that a business could face that may need to be identified and prioritised include:
- Cybersecurity Risk: cyberattacks, data breaches, and other malicious activities.
- Operational Risk: supply chain disruptions, natural disasters, and pandemics.
- Financial Risk: market volatility, currency fluctuations, and fluctuating customer demand.
- Regulatory Risk: employment laws and data privacy laws.
- Reputational Risk: negative publicity or customer complaints.
1. Develop a Business Continuity response plan
Once you’ve identified and prioritized your risks, you need to develop a response plan. This plan should include specific steps to take in the event of a disruption or disaster. Steps that could be included in your response plan include:
- Establish a Business Continuity Team: Form a team of key stakeholders to plan and coordinate the business continuity and disaster recovery efforts.
- Develop a Business Impact Analysis: Identify and assess the impact of a potential disruption on the business operations.
- Implement Controls and Procedures: Implement and review procedures and controls to ensure the business continuity plan is followed and updated as needed.
1. Test your Business Continuity regularly
You should test your business continuity plan on a regular basis to make sure it will work in the event of a disaster. Without proper testing there is no other way to assess the effectiveness of current plan.

There are a few methods to testing your business continuity plans including:
- Run a simulation: A simulation can include a full-scale exercise of the plan, with staff members acting out their planned roles, or a smaller test that focuses on a specific area of the plan.
- Conduct a tabletop exercise: A tabletop exercise involves a discussion of the plan among staff members, led by a facilitator. The facilitator will ask questions about the plan and encourage discussion about how to improve it.
- Conduct a risk assessment: A risk assessment is an important part of any business continuity plan. It should be conducted regularly to identify potential risks and assess their impact on the business. This can help identify weaknesses in the plan and provide an opportunity to revise or update the plan as needed.
1. Establish communication protocols
Establishing clear communication protocols is essential for business continuity planning. This includes identifying the people who need to be informed in the event of a disruption, as well as setting up communication channels and establishing protocol for communication with customers and stakeholders.

By having clear communication protocols your team can efficiently and effectively communicate to internal stakeholders, as well as external media representatives during and after an incident.
1. Monitor and review your Business Continuity plan
Once your business continuity plan is in place, it’s important to monitor and review it regularly. This will help ensure the plan remains relevant and up to date, as well as identify any potential areas of improvement.

One part of this stage is to conduct the risk assessment that was mentioned earlier, however there are a number of other ways to review your plans to ensure their effectiveness.

By following these five steps, businesses can ensure they have a comprehensive plan that is up to date and can help them respond quickly and effectively in the event of a disruption or disaster. We’ve found in our experience that these are the most often missed things that businesses can implement immediately, therefore helping them withstand incidents far more effectively than ever before.

For a more comprehensive, detailed and tailor-made approach to your business continuity & resilience, our team of experts can help you create your own business continuity plan to create world-class levels of resilience.

Contact us today to get a deeper insight into this topic from our team of consulting experts.
May 2, 2023
How To Design Business Continuity Solutions
In the face of unexpected disruptions, having a sound Business Continuity Plan (BCP) is crucial to preserving your organisation’s operational integrity. By developing adaptive strategies and solutions, companies can ensure that business operations are not severely impacted during a crisis event. Below, we shed light on how to design robust business continuity solutions.
1. Conduct a Business Impact Analysis (BIA):
One of the fundamental steps in designing business continuity solutions is conducting a comprehensive Business Impact Analysis (BIA). This process involves identifying and evaluating the potential effects of interruptions to your business operations. The objective here is to pinpoint the essential functions of your business that are crucial for its survival.

Three key aspects to consider while conducting a BIA are:

Identify and Assess Critical Business Processes:

Start by identifying critical business processes that are vital for the day-to-day functioning of your business. For example, it could be your IT system, production line, or customer service operations. Assess the consequences of these processes being disrupted. This requires an in-depth understanding of your business operation.

Evaluate Financial and Non-financial Consequences:

Determine the financial impact for your business if critical operations were interrupted. This might include assessing lost revenues, regulatory fines, compensation costs, or potential contractual penalties. Beyond financial consequences, think about non-financial issues that can have long term effects, like damage to your brand reputation, customer loyalty, and employee morale.

Understand Recovery Time Objective (RTO):

The RTO is the acceptable amount of time to restore the process after a disruption before it severely impacts the business. Understanding your RTO helps in prioritising the recovery of individual processes and systems, which is essential when resources are limited.

By understanding the integral working aspects of your business and the potential fallout from their disruption, you can begin to shape a business continuity plan that will guide your organisation towards rapid recovery and minimal losses.
1. Identify and Manage Risks:
A pivotal step in the creation of your business continuity plan is the identification and management of potential risks that could threaten your organisation’s operations. This process forms the backbone of your strategy as it allows you to take a proactive approach in foreseeing and preparing for these possible disruptions. Here is a more detailed breakdown of the approach:

Risk Identification:

Begin with a systematic process to identify the potential threats that could impact your critical business operations identified in your BIA. These could be a wide variety of risks – cyber-attacks, natural disasters, supply chain failures, among others. Drawing from historical data, recognised trends, and comprehensive brainstorming sessions can assist in detailing a comprehensive list of these threats.

Risk Assessment:

Once the risks are recognised, the next step is to evaluate each one based on its likelihood of occurrence and the potential damage it could cause. This critical step allows you to focus resources and attention on high-probability and high-impact risks, rather than expending significant resources on less likely or less impactful scenarios.

Risk Mitigation Strategies:

Now that you have identified and assessed the risks, you need to determine how to manage them. Risk mitigation strategies vary from transferring the risk via insurance, mitigating the risk by implementing controls, accepting the risk, and developing contingency plans, or avoiding the risk by changing business processes. The approach may vary depending on the specific nature of the risk and the unique circumstance of the organisation.

Clear understanding and management of risks pave the way for establishing a solid strategy that safeguards your business operations. As part of your ongoing business continuity efforts, regular updates to your risk identification and assessment processes are crucial to ensure your plan stays relevant and efficient.
1. Develop Your Business Continuity Strategies:
With a clear understanding of the potential impacts to your business and risks at hand, the heart of your Business Continuity Plan – the continuity strategies – can now be developed. The purpose of these strategies is to ensure the continuity of operations and service delivery during disruptive events. Here’s how to go about it in more detail:

Analyse Recovery Strategies:

Understanding what your business needs to function effectively during a crisis is fundamental. This could be anything from ensuring a certain volume of inventory stocks, maintaining critical IT systems complete with data backups, to having an alternate power supply or co-locate facilities ready. Map out your recovery strategies in detail, ensuring that they align well with your Business Impact Analysis.

Diversification and Redundancy:

One common strategy to consider is diversifying your resources, components, or methods of operation. This might involve diversifying suppliers, cross training your employees, or building in system redundancies. By doing so, your operation is not wholly dependent on one element, thus enhancing overall resilience.

Formulate Contingency Plans:

Contingency plans represent your Plan B, the action steps involved if your primary strategies were to fail. This could involve provisions for alternate workspace locations, identifying backup suppliers, or employing remote working arrangements. The aim of these plans is to ensure that critical business operations can continue no matter what circumstances occur.

Resource Allocation:

Successful implementation of your strategies implies that sufficient resources are assigned, including personnel, equipment, and finance. This step involves clarifying roles and responsibilities, along with timelines for actions to be taken.

Sequence of Recovery:

Considering the complexity of business processes, it’s imperative to identify the sequential order in which systems should be restored during a disruption. Outline a specific timeline for the process for efficient recovery.

These strategies underpin your Business Continuity Plan, allowing your business to adapt and respond effectively, minimising the impact of a crisis. Once formed, they should be regularly reviewed and updated to ensure they remain fit for purpose as your business evolves, and new risks emerge.
1. Form an Incident Response Team:
Having the right people at the helm is crucial to effectively manage a crisis situation. An incident response team plays a critical role in driving the execution of your Business Continuity Plan. Here’s how to form and prepare your team:

Identify Team Members:

Start by identifying who will be on your incident response team. This team typically consists of senior leaders and members from various departments – from HR to IT, Communications to Operations – each bringing their unique expertise to functional areas of the response process.

Define Roles and Responsibilities:

Once you have the team members, clearly define each person’s role and responsibilities during a crisis situation. This could range from making key decisions, managing the communication flow, coordinating recovery efforts, and liaising with external stakeholders such as first responders or the media.

Plan for Redundancies:

Ideally, each role in your response team should have a backup. In a real-life crisis, it’s entirely possible that some of your team members may not be available. Hence, it’s important to ensure that multiple individuals are trained and can step up to perform critical roles if needed.

Equip Your Team:

Ensure your team is equipped not just with skills, but also with tools and resources they need during a crisis. This could be anything from access to emergency communication equipment, necessary PPE, or a round-the-clock working space during certain emergencies.

Conduct Regular Training:

Even the most carefully laid plans can falter if the team doesn’t know how to execute them in a moment of urgency. Robust and regular training sessions can foster a well-prepared and confident team when they’re required to act.

Foster a Crisis Leadership Mindset:

Fostering a crisis leadership mindset within your team can go a long way. Empower your team to make critical decisions during crisis, foster resilience, communicate effectively, and prioritise well in high-stress situations.

A well-prepared incident response team can significantly bolster your organisation’s resilience, efficiently navigating even the most challenging crisis situations. Remember, a team that trains together stands strong together. Regularly reviewing and refreshing these teams’ roles and training ensures an operational readiness to face any adversity.
1. Develop and Document Your Plan:
Once you have the components of your business continuity solutions, it’s time to compile it into a comprehensive document, which will serve as your Business Continuity Plan (BCP). This document not only directs how a business reacts to a crisis but also serves as a point of reference for everyone involved. Here’s what this step entails in more detail:

Document the Plan:

The BCP document should typically start with an overview of the plan, its objectives, and its governing principles. Following this, include sections that detail the outcomes of the previously discussed processes – the Business Impact Analysis, Risk Assessment, Business Continuity Strategies, and the Incident Response Team.

Outline Clear Procedures:

In the BCP, document explicit procedures for a plethora of potential scenarios your business might face. Ensure that these procedures are easy to understand, accessible and effective. Detail the activation triggers, step-by-step actions, the roles involved, and the resources required for each scenario.

Communication Strategy:

Include a section that outlines how communication will be managed during a crisis, both internally and externally. This should encompass guidelines for keeping all stakeholders informed. Also, consider how will you communicate if your primary channels fail? Outline alternatives in these instances.

Emergency Contact List:

A critical section in any BCP is the list of emergency contacts. This is not only limited to your incident response team members but also includes other crucial contacts such as local authorities and emergency services, utility and service providers, insurance companies, key suppliers, and customers.

Plan Accessibility:

The BCP document should be easily accessible to all relevant parties. Ensuring that multiple copies are stored both online and offline guarantees that the plan remains available even if normal business environments are disrupted.

Confidentiality Considerations:

The BCP often contains sensitive information. Therefore, the plan’s circulation should be controlled and only made available to those who require its information.

Remember, your BCP document isn’t a one-time task. The landscape of threats and your business operations are constantly changing, and hence, the BCP must be a living document, constantly reviewed and updated to maintain its relevance.
1. Regularly Test Your Plan:
Testing is a vital part of developing an effective Business Continuity Plan (BCP). Without testing, you can’t fully gauge whether your strategies are comprehensive and would work when a crisis arises. Let’s dive into how to test your plan effectively:

Determine the Testing Method:

There are a variety of methods to test your BCP, including walkthroughs, tabletop exercises, partial or full-scale simulations. The method you choose depends on what you’re aiming to test and your available resources.

Set Out Objectives:

Before carrying out any test, set out the objectives that you want to achieve. These could range from identifying gaps in the plan to testing individual elements of the strategy to assessing the effectiveness of the incident response team.

Document the Process:

Detailed documentation of the testing process, including what was tested, how it was tested, who was involved, and the results derived, is essential. It provides valuable insights that you can refer back to when updating and revising your plan.

Agree on a Schedule:

How often you test your BCP could depend on various factors such as the size of your business, the rate of organisational change, and the evolving risk landscape. Generally, a BCP should be tested at least annually, although parts of the BCP might need more frequent testing.

Review and Revise:

After your test, gather everyone involved to discuss what worked and what didn’t. Aim to make improvements and modifications to your BCP based on these findings to ensure that your plan is as effective as possible.

Remember, every test, in every form, provides an opportunity to learn, refine, and improve. Perfection is not the ultimate goal during test exercises – it’s about finding vulnerabilities and fixing them before a real-life crisis hits. The prime objectives are to learn, enhance readiness, and strengthen your organisation’s resilience.
1. Review and Update Continually:
The last but equally crucial step in designing a business continuity plan is continuous reviews and updates. A business environment is not static; as it evolves, your business continuity plan should evolve with it. Let’s see what this step involves in more detail:

Regular Check-ups:

Incorporate a regular review of your entire business continuity plan into your business calendar. The frequency may vary based on nature of business and apparent threats, though a good rule of thumb is at least once a year or when major changes occur in the organisation.

Following Changes in Operations:

If your business experiences significant changes, a review of the business continuity plan is necessary. For instance, if operational processes change, a new branch opens, a new software solution gets implemented, a merger or sale occurs, or new threats emerge in the industry. All these factors can have implications on your existing plan and must be considered.

Post-incident Review:

After an incident occurs, hold a debrief meeting to glean insights from the team involved. This should aim to identify what worked and what didn’t in the plan and then take appropriate steps to improve.

Update as Needed:

If reviews or real-life situations indicate gaps or weaknesses in your plan, it’s pivotal to not only note these down but to update your plan accordingly. An out-of-date plan can cause more confusion than relief in a crisis situation.

Communication:

Once revisions have been made, don’t forget to communicate the changes to everyone who needs to know. Make sure everyone who has a copy of the plan updates their version to the latest one.

Designing a comprehensive business continuity plan can be challenging, but the reward of maintaining business as usual in the face of crisis is invaluable.

At RiskLogic, our team of experienced consultants helps organisations build robust and resilient plans that mitigate risks and uphold operational integrity, even in the face of adversity. So why wait until disaster strikes? Let us help you build a resilient future, get in touch today.

Contact Us today to learn more

Learn more about Business Continuity solutions
March 1, 2023
The world’s biggest Cyber attack just happened, here’s what you should know
This week marks the Business Continuity Awareness week in association with the BCI, and would you believe it, the world’s largest cyber attack has hit as well. You couldn’t make this stuff up.

The facts (so far)

Over the weekend, one of the world’s largest ransomware attacks was released across small to medium-sized private sector businesses, in particular, an Australian company being the attackers first victim on Friday.

The attack that began on Friday is believed to be the biggest online extortion attack ever recorded and has sent some major organisations into meltdown, including the UK’s NHS (National Health Service). On Sunday the UK Government announced 97 per cent of its hospital were back to normal after the attack locked, but Europol director Rob Wainwright said he feared the attack was not over and that the number of attacks would continue to grow.

The attack, which essentially locks your companies main servers and users files, has hit 200,000 victims in 150 countries. This number is expected to grow vastly in the next few hours as workers turn their computers on for the first time over the weekend.

The ransom itself is a grand total of $300USD and expected to grow if the user does not pay.

The attack appeared to be caused by a self-replicating piece of software that takes advantage of vulnerabilities in older versions of Microsoft Windows, security experts says.

Chris Watts from Tech Analysis and RiskLogic’s own IT experts says “WannaCry / Wcry / WannaCrypt ransomware is spread via SMB, that is the Server Message Block protocol typically used by Windows machines to communicate with file systems over a network. It’s able to do this where the machine supporting the protocol has not received the critical MS-17-010 security patch from Microsoft which was issued on the 14th of March and addresses vulnerabilities in SMB. In other words, you have to be almost 2 months behind in your patch cycle in order to get hit with Wcry”.

Unfortunately at this stage, little is known about the attackers. What we do know though is one major aspect, this worm doesn’t necessarily need a phishing scam email to find it’s way on your computer. It uses complex algorithms to get onto your system by blocking any data to be re-coded and blocked internally from the patches your system likely doesn’t have updated.

Although the seriousness of this attack is hitting most media outlets today, very few victims have paid the ransom. It should remain this way! Paying the ransom not only funds these attackers to continue, it’s also not necessary.

Am I safe?

The first thought that comes to mind from many business men and women is whether their personal and business computers and files are safe? The short answer is, you’re always a target to this sort of thing. The good news right now is you still have time! As terrifying as the unprecedented global “ransomware” attack is, this is still a media generated storm. Cyber security experts said it was nothing compared to what might be coming and what is capable — especially if companies and governments do not make major fixes now. This means, in short, you still have time to remain in control.

Your organisation’s goals should be to remain calm and let the IT professionals get to work!

Here’s what you need to do right now:

Chances are, very few tech geniuses and IT chaps are reading this. The likelihood is your CEO, Directors and Stakeholders want to know the facts, ‘are we affected?’. You can help them right now by staying one step ahead of the game. Chris Watts of Tech Analysis says you can take a few quick and easy steps:
1. Keep your operating systems current or update it now
2. Install patches early
3. Have a robust backup strategy (time to get your BCP out?)
4. If you are infected, don’t pay the ransom, restore from the backup and get your IT team everything they need
5. Lock down machines. (e.g make sure nobody uses the admin account except for administrators, only trusted users can install software, use USB drives etc..)
6. Don’t open suspicious email or attachments
7. Restrict access to network resources (ransomware can only encrypt what it can access or what machines it can propagate to, make sure file share permissions are setup to restrict machines so they only have access to files on your network file server needed for the workflow that the machine is used for)
8. Block unnecessary ports like pptp. (pptp is an obsolete method for implementing virtual private networks, with many known security issues).
Why haven’t I heard of many companies being affected?

If it wasn’t for the (accidental) discovery and build of a ‘kill switch’ by a 22-year-old tech whiz, only referred to as MalwareTech, this attack would be much larger than it currently is. MalwareTech and his partner, Darien Huss registered a domain name over the weekend that redirected the attack to MalwareTech’s main server, activating their kill switch and halting the attack.

A pinch of luck and tech knowledge has helped slow the attack down in this bubbling soup of concerns. However, Director for Centre for Cyber Security Research at Deakin University, Professor Yang Xiang says that “this attack is likely to progress and grow over the coming hours due to its nature”. Europol director Rob Wainwright says that he feared the attack was not over and that the number of attacks would continue to grow, however many crisis experts (including myself) are confidently promoting the need to revisit your Business Continuity Plans and remain confident in your staff.

Another key reason you are likely not to hear companies registering their attack will be their reputational damage and concerns from their direct clients or customers. Typically, media attention and a statement released by those affected come once control is established, although this isn’t always best for their clients!

One major aspect you need to consider is social media. An easy step to take now is to reinforce your BC awareness and instil confidence to your staff.

Staff should be asked to remain off social media and if neccersary, provided with official communication and statements if the business has been affected.

MalwareTech’s advice is simple: If you haven’t Patched, do it now!

This is already believed to be the biggest online extortion attack ever recorded, disrupting computers that run factories, banks, government agencies and transport systems in nations as diverse as Russia, Ukraine, Brazil, Spain, India and the US.

Get your Business Continuity Plan out!

Remember that plan RiskLogic helped you put together? Now is the time to get it out on your desk. You don’t need to be activating it just yet, but it’s worth having a skim over. Remain a step ahead by revisiting your key procedures and get your BC Team and Crisis Team in the loop.

You need to be using this plan and your excellent communication to get the facts. Have a confident individual in your IT team present you the facts. Relay these to your stakeholders and make the call, as a team, whether you need to activate your plan?

Leave the technical stuff to the pros!

The worst thing you can do is get in the way. The chances are, you’ve not been affected. You also probably won’t be affected (there are more heroes out there than hackers!). But how good of an excuse is this to get your plan out and share it around?

Business Continuity Awareness Week

This coming Friday the 19th, I will be attending the Executive Breakfast for Business Continuity Awareness Week (BCAW). We will be discussing the Kaikoura EQ but also the latest news on this cyber event. This is a great opportunity to sit with some of the leading industry experts on what you should be doing to prepare.

You can register for the event here: http://www.bci-events.wildapricot.org/event-2541842

Until then, plan, do, check and act…

Contact Us today to learn more
March 1, 2023
The Christchurch Earthquakes and a Senior Business Continuity Consultant
That unmistakable feeling that the world just got unstable is becoming a way of life in NZ, but you never get used to the nightmare that is an Earthquake. It seems almost comical to chuck a Senior Business Continuity Consultant into an Earthquake, then be evacuated due to Tsunami risk – exactly what we preach daily.

The one that hit our 2-story house at Waikuku Beach just after mid- night on Monday the 14th November, felt like it was never going to stop. As a Crisis Management Consultant, I frequently talk about my experiences in the Christchurch 2010/11 EQ and the stress that each aftershock brings, because you never really know how long it’s going to last. This was no aftershock, this was the real deal and it just wouldn’t stop, 40 seconds of the ground turning to jelly then, 2-3 minutes of it trying to settle into its new bed beneath our feet. Remember in the 80’s when those water beds came out and destroyed everyone’s backs? Well, it felt like my home had been placed on one of those and we were told to brace.

Survival mode kicks in, following the standard drill; drop, cover, hold. A quick inspection for damage, a couple of broken ornaments but no rushing water, no cracks in the walls. Initial impact assessment complete. Time to get the incident team together, me and the wife! Sorry old habits die hard, processes just kick in and stuff gets done, yes I’m an incident nerd!

Things are not good, but are we in a crisis yet? If we are then this definitely has the characteristics of a sudden crisis:
- Unpredictable, unexpected: Fast asleep in dreamland this was certainly unexpected.
- High degree of instability: we were certainly all over the place for the first 5 mins, is this really happening again after the five years of torment already?
- The immediate potential for extreme negative results: Things seem OK in our world but we had no idea that most of NZ were feeling this one. My flight to wellington later in the day was looking doubtful.
- Immediate management attention, time and energy: With the realisation of a real threat of Tsunami my attention was now focusing on our escape plan.
- Often brings about organisation change: Living at the beach is losing its charm, my wife is looking for higher ground!
Being in the business and being an EQ veteran the “grab bag” is always ready to go. The basics in tow, torch, gas cooker, first aid kit, water, tins of beans, battery charger, sleeping bag, etc and of course, dog food! So when the Tsunami alert was given we were ready to go. We had a plan and we were just about to put it into effect.

But planning and doing are two different things, again something I’ve spent many years trying to teach. The realisation when we drove out of our drive joining the rest of the fleeing villagers, that we might not see our house again, can’t be simulated in an exercise. Not that I have made my wife practice our evacuation procedures, I’m not that much of a nerd! But I was working hard to recall my training on the human impact of a crisis. Magnified by the fact that our animal family was one short, the cat was nowhere to be seen! Despite trying to follow what you’ve been taught and what we know as professionals, emotions start to sink in. Driving away in the pitch black with our lovely, peaceful house fading into the background in my rear view mirror, not knowing whether it would handle the night ahead.

Just to put it into perspective, you can see the ocean from our window and walk to it in four minutes. We were the exact people the Police wanted to evacuate.

Impact assessment complete, the team assembled, communications complete to my son in Wellington and our recovery strategy initiated, relocate to an alternate location. Classic 5 initial steps to managing your crisis.

Of course, these actions relate to recovering your business, but why not relate them to your own preservation too? Having a plan, any plan is always a good idea. In a night of unknowns and real stress, it certainly helped to focus my mind. After 7 hours of sitting in our truck on a hill with the dogs, not knowing if the 5-meter wave predicted was coming, it was a relief when we got the all clear to head home.

Time now to put my business continuity for my business into action, my clients in NZ, Wellington, Christchurch, Nelson and Tauranga were dealing with their own issues, our meetings were put on hold, but my Australian clients would still need attention. My Maximum Allowable Outage (MAO) 24 hours, for my critical process Respond to client enquiries and issues, was not under threat.

Lessons learned:

1) Every incident is different, this was real – not a test, but we can still learn from it. We can always do things better. My fuel tank on the truck had dropped below half full. Always keep it above half.

2) Don’t panic, it really doesn’t help. Your employees or your wife won’t appreciate it, people need to be lead by a strong confident leader.

3) Make a decision. The Tsunami alarm didn’t work, some people stayed. The radio said leave because that was the advice from Civil defense. Better to get ahead of the game, you can always come back if it’s a false alarm.

4) Have a good plan for the pets, they have to come and they don’t always want to. The cat needs a cat box, he will run off the first chance he gets.

5) Have your grab bag ready to go. Check it frequently, stuff can go out of date.

6) Have a plan, any plan. Remember the 6 Ps. Prior preparation and planning, prevents piss poor performance!

The gas cooker was on full noise on the tailgate of the Hilux 4×4 for the first brew of the day while the sun rises over our disfigured land, and I have internet connectivity, we are literally “cooking on gas” now. Normal business has resumed, even if I am standing knee deep in a paddock of cow dung!

Until next time, Plan, do, check, act…

Contact Us today to learn more
March 1, 2023
The Question Isn’t Can You Exercise, It’s Will You?

Over the past few years, RiskLogic has gained a reputation for providing truly unique and dynamic exercise simulations for organisations wishing to test their Business Continuity Program & resilience. Being able to understand how your team works when the pressure is on is vital, but being able to identify gaps and roadblocks that can occur during a crisis, probably more so.

Recently, RiskLogic sat down with Therese Chakour-West, the Information Technology Manager at STIHL Pty Ltd (STIHL) to revisit her experience in developing and validating a Business Continuity Plan (BCP) and attending an exercise.

STIHL established its name in the forestry and landscape world as far back as the mid 20’s. Today, they are now considered as the pioneers to petrol powered chainsaws and one of the most established brands in the market. Their chainsaws, handheld equipment, and tools are likely to be sitting in most handyman’s vans. When Mr. Andreas Stihl founded his company in 1926, it was unlikely he was considering the importance of a BC plan and running scenario exercises however. So why is it today, in 2016, a large majority still haven’t acted on putting something in place?

Therese and her team are considered as early adopters in this case. They saw a need for a review and action before anything serious happened, and this was endorsed by the parent company’s auditors!

“We’ve not had a BCP at all before, so that was an obvious key driver. We identified a serious gap for the operation and we had to act on it. The auditors asked for things like the Disaster Recovery Plan (DRP) and we didn’t have any plan to show them! They really applied the pressure, so we had to get something done and it was our responsibility to do so for our own subsidiary.”

It’s no myth that directors, CEO’s and Senior execs are being spoken to all the time about BCP’s and risks that the organisation faces. A key challenge is convincing them of the importance but then getting it underway.

“I had been trying to get it off the ground for many years. The previous MD didn’t quite see the value but with the auditor’s support and the current Leadership team support, I knew I could finally get something done here. The interest was already there for the DRP, but it was also the BCP we had to align. You can’t have one without the other. So, I just took it upon myself to get it done. You know, it’s funny, when I met with the Chairman of the board in July, I told him what we had done with the exercises, the DRP & BCP and this convinced him enough to report the importance of them back to the parent company and other subsidiaries. He just got that we needed to do it.”

When you are part of a very large organisation, it is easy to forget that many areas of the business have different risks compared to that of head office. Therese understood quickly that their plan had to be different.

it was getting the guidance to put a plan that worked into action

“The parent company in Germany had their DR plan and it seemed obvious to use theirs. It didn’t take long to realise we had our own risks to focus on though. So, our procurement manager went to market and we found RiskLogic. That final BCP couldn’t have been handed down, it had to be unique for our three sites, it had to focus on our needs”.

“We’re a team of four full-timers here on the IT Crisis team (7 total members on the crisis team). It was a no-brainer to all of us we needed this in place, but it was getting the guidance to put a plan that worked into action”.

Those organisations that do not have a plan in place often ask themselves the same question, ‘what do we actually do if something happens?’ Most businesses will encounter at least 17,000 different versions and types of incident events each year (mostly small cyber attacks that fail); a vast majority of those will not have a BCP in place to deal with it.

“I asked myself that a few years back; if we have a crisis, what do we do? Who does what? Really, when you’re in that high-intensity situation – what are you going to do? We really were flying by the seat of our pants here”.

RiskLogic’s exercises focus on testing a business continuity program via realistic, hands-on scenario exercises. This is critical to:

1) Build familiarisation with staff roles, responsibilities, processes and available tools

2) Identify practical program improvements

3) Provide a high level of stakeholder assurance in an organisations recovery capability

At RiskLogic, we create event-driven, realistic scenario exercises, maximising participant engagement and providing a comprehensive, yet practical learning experience. We’ll even provide a Client with highly dynamic scenarios, utilising well-established exercise resources in a controlled exercise environment.

Over the last two years, we have run over 150 exercises and trained over 7,000 people on Business Continuity. A number of those organisations later went on to have a real life situation occur. They were able to successfully implement the plan they had originally rehearsed to deal with the situation.

Therese reiterated the importance of this, “You know, I’m keen to get these happening annually! Keeping the team refreshed because there is a lot of information, just keeping that awareness there”.

you get out and act and this simulation really showed the dynamics

“The scenario was a real eye-opener for us; it was unanimous. You’re really put under the same pressure you would get in real life. We were getting emails, phone calls and you know you really are just winging it by that stage.”

“I actually got a phone call from ‘The Herald Sun’ and thought what am I supposed to say to them? I actually put my foot in it and it was a huge surprise there. You don’t think that an emergency you’re dealing with could be going viral on social media, and that can really hurt the brand.”

“I also noticed we needed a lot of focus on the ground level people. Who is going to check on our staff? Do we know who on the crisis team should focus on our people and where they should be based? Do you stay in the office while all this happens? No, you get out and act and this simulation really showed the dynamics we can provide as a small team, it was really great”.

Recently, a pastor who had eaten at an Applebee’s restaurant in the US crossed out the automatic ‘18% tip charged’ for parties of more than eight and wrote “I give God 10% why do you get 18” above her signature. A waitress at the restaurant took a photo of this and posted it online. She was subsequently fired for “violating customer privacy” which would have been understandable if Applebee’s had not posted a similar receipt that was complimenting them just 2 weeks prior.

As news of this incident spread like wildfire and infuriated people across all social media platforms, Applebee’s responded with a short post defending their actions on their Facebook page. This quickly drew over 10,000 mostly negative comments, to which Applebee’s started responding by posting the same comment over and over again. They were also accused of deleting negative comments and blocking users.

The downward spiral continued as Applebee’s persisted in defending their actions and argued with users that criticised them. By the following day, after the original post had generated over 19,000 comments, Applebee’s decided to hide the post which only created more anger.

“Gosh, you just shouldn’t underestimate the importance of this. People, customers talking about your brand without you being aware could be so damaging. There is so much at stake” Therese acknowledged when we mentioned a similar example.

Since their scenario exercise with RiskLogic in June 2016, Therese is initiating an awareness session with the wider team. Her three other locations throughout Australia will adopt the same processes to ensure everyone, everywhere, is prepared – especially their Primary Crisis Team working out of the command centre in Melbourne. This is a fantastic step for STIHL to promote their resilience and innovative nature in the market, but maybe more so having the ability to show their staff and clients they care about this subject!

“I have so much more to learn, I’m no Crisis Management expert but I definitely feel more confident in my team and our readiness when the pressure is on”.

To learn more about STIHL and their work, visit Stihl.com.au

For daily updates, follow my twitter or our facebook pages now!

Until then, plan, do, check & act…

Contact Us today to learn more

March 1, 2023
How The Defense Force Was Hacked
Just over a year ago, I was sitting down to lunch with a client in Wellington. It was a rare, beautiful day with a nice buzz of students and frantic businessmen walking around us. We were about 300 metres away from the Beehive (Executive Wing of the New Zealand Parliament Buildings) and my client leant over to ask, “What do you think is the most likely and unlikely organisation to be hacked or targeted by cyber-terrorism?” After very minor thought, I concluded that anything to do with the Defence Force is not only a huge target for any budding hacker, but surely, it’s also the last place that would allow that to happen, right? Wrong!

As of Tuesday 10^th October 2017, an Australian Defence Contractor has had highly commercially sensitive information on the build and design of new fighter jets, navy vessels, and surveillance aircraft stolen.

The Facts as we know them:

Dan Tehan, the minister in charge of cybersecurity, confirmed the hacking had taken place and was targeted towards an unknown contractor.

The hack itself took place over a few months, without any defence or internal networks picking up the attack.

24 hours after the news broke, Australian authorities researched and criticised the defence contractor for “sloppy admin” concluding that in fact, anybody could have penetrated the company’s network and that they were “surprised it hadn’t happened sooner”.

During the investigation of the hack, it was found that hackers had exploited a hole in the IT helpdesk portal where no staff member had updated the 12-month old vulnerability. Literally leaving a door wide open for even the most amateur of hackers to enter.

Furthermore, the Australian Signals Directorate (ASD) found that the contractor had not updated any of its key passwords and entry codes for any internet facing servers in many, many months.

It has recently emerged that the admin password used to enter the company’s web portal was ‘admin’ and the guest password was ‘guest’. An unbelievable fact in terms of the contractor’s field of work.

ASD incident response manager Mitchell Clarke told a conference in Sydney on Wednesday (11^th October) the hackers targeted a small “mum and dad type business” — an aerospace engineering company with about 50 employees in July last year. This means the hackers were experienced enough to go through a third party/supply chain of the main contractors first, again exploiting a hole in the continuity of the whole program.

Clarke noted, “It included information on the (F-35) Joint Strike Fighter, C130 (Hercules aircraft), the P-8 Poseidon (surveillance aircraft), joint direct attack munition (JDAM smart bomb kits) and a few naval vessels.”

This particular firm has been confirmed as a fourth level contractor to the main Defence Force. This means the hackers could still get into the main information via a partner of the organisations – four levels down!

Why aren’t we learning?

Less than six months ago, the biggest cyber-attack to ever hit the internet occurred, WannaCry. The simple lesson learned from this should have been to update all networks, computers, and passwords. This can be done in a few hours depending on the size of your organisation.

If we break down the facts of this case, there are some key questions and discussions coming up:
- The Defence Force should have had a plan in place for all associates of their organisation?
- Why did no one check supply chain security, but are still blaming them?
- The usernames and passwords were not adequate. This should have been noticed earlier.
- How does a hack lasting nearly 12 months not get picked up?
- Is the idea of a foreign state hacking a concern?
The answer to that last question is no. In fact, foreign state powers trying to hack each other has happened since the internet was first set live – it’s nothing new. The key question here is more about the order and control of their supply chain in the first place.

What might happen now?

Nothing is likely to happen. Like with most hacks, it’s an opportunity to boast how good you are at it. The most likely scenario now is a ransom put on the return of the information. Or, we may never hear about this again meaning it’s been taken higher.

The ASD, for now, has dubbed the hacker “ALF”, after a character in the TV soap opera Home and Away. At least they’re seeing the humorous side to all this!

Mr Clarke described the security breach as “sloppy admin” during his press conference. Most IT people could spot holes in the system, it’s the higher authorities who should have put checks in there in the first place.

What you need to do, right, now!

If you didn’t already do this in May following the WannaCry cyber-attack, go and ask your IT team when the last time they changed passwords.

You need to then check how up to date your security systems are.

Then most importantly, you need to get in touch with any third parties you’re associated with and your supply chain! As stated by Alastair MacGibbon the Special Adviser on cyber to the Prime Minister, on breakfast news, “this is a supply chain issue, not the Governments fault”. Sorry Alastair, you can’t blame your supply chain, the responsibility for a disruption remains with the company.

If, for example, you were an airline based in Australia, you will have hundreds of supply chain dependencies, even right down to the travel agent. There would be many websites and potential gateways to stay on top of. Starting to work these out and know what is what will maintain your resilience.

Your DRP (Disaster Recovery Plan) and ITDR need to be looked at, right now. Even if you looked at it last week, you need to double check it’s up to date and where it needs to be.

Coincidently, I’m about a day off finishing my article on the Auckland Fuel Crisis follow up. In this, I discuss contractors and how we often look to blame third party when something like this happens. In fact, your stakeholders aren’t going to do that, neither is the media.

We still don’t know officially who these contractors were, but we’re all happily blaming the resilience of the Defence Force here when really, many authorities and people are involved.

Conclusion:

I will be following up this story as it progresses as I believe it as being a huge eye opener for Australian and New Zealand organisations.

RiskLogic specialise in modules around Business Continuity for your supply chain. We’ve been doing it for over a decade. As well as this, we have industry leading cybersecurity modules & plans for all types of organisations. Our senior consultants and trainers live and breathe this daily across Australia & New Zealand. If you’re concerned about possible holes in your supply chain or cyber-security, give us a call now, obligation free.

Until then, plan, do, check & act…

Contact Us today to learn more
March 1, 2023
How to Avoid the Auckland Fuel Crisis Reoccuring
An overview

In mid-September this year, Auckland went through a serious event that involved a major fuel line at Auckland International Airport being damaged. The result of this was city and nationwide frustration on a steady ripple effect of issues caused by the lack of fuel.

Whilst most businesses could operate as normal, there have certainly been some interesting developments and issues surrounding what we did about it.

RiskLogic spent some time recently pulling the facts on this crisis.

Overview of stats:
- Suspected digger driver/contractor tears main fuel line in Northland.
- Airlines reduced to 30% of fuel.
- Thousands miss key flights and connections internationally.
- Government warned of potential risks back in 2010.
- Supply chain issues and preparation to blame.
A Summary: What happened in Auckland?

The leak, caused by a one-man digger 8km south of Marsden Point oil refinery in Northland, was discovered last Thursday. At the time, it was expected to affect about 2000 travellers a day as jet fuel is rationed.

The 130km pipeline resulted in airlines being restricted to only 30% of fuel allowance per trip. This meant most international flights were cancelled over that weekend.

Fuel Industry spokesman, Andrew McNaughton said on the 19^th of September that “we are certainly taking up the Governments offer of the Navy vessel that can distribute diesel…as well as their technical expertise”, suggesting that the Fuel Industry didn’t have this in place, to begin with.

Four of the Z Fuel stations in Auckland were out of their 95 Premium gas after 24 hours due to the delays.

More than 30 flights, including 12 international trips, were cancelled on the Tuesday morning. By the Wednesday, thousands of passengers were planning for rescheduled flights with hundreds of complaints and communication issues streaming into Auckland Airport operations.

“As with any spill, the regional council is investigating the circumstances leading up to it and will consider what, if any, further action is appropriate in due course”.

A spokesperson for Northland Regional Council said most swamp kauri extraction on farmland (area of the incident) in Northland did not require resource consent from the regional council, and none had been issued for the area where the pipe was damaged.

“However, the council stresses any such action is currently secondary to its primary focus; ensuring the appropriate recovery of the spilt fuel and clean-up of the site.”

It was reported that 80,000 litres of fuel were spilt at the Ruakaka (roughly two tankers worth) but the council confirmed no waterways were affected.

How were businesses affected?

The most affected organisations seemed to be Auckland’s daily airline providers and the Government. In 2012, National were warned of the vulnerability of this fuel line, however, Bill English (New Zealand Prime Minister) said the arrangements of this fuel line was between the fuel companies and airlines.

Labour leader Jacinda Ardern used this as an opportunity to comment on the Governments lack of infrastructure and plans to New Zealand businesses.

When discussing the impacts and looking for an update from our Auckland based client Rakon, Andre Greissner Engineering Manager, Equipment’s & Facilities mentioned that although their organisation was not affected, it was a big wake up call to the massive impacts it could have had.

“We’ve had exactly the same issue five years ago. Two weeks [of] total gas outage in the city because the only pipeline got damage in a mudslide. And that was known to be a serious threat too, for years”.

Locals in Ruakaka mentioned to NewsHub reporters that they had seen multiple diggers in this location as far back as 2011. Trees, swamps and new lines have been removed in this location over the years.

It was reported that only 12 local Auckland businesses were temporally closed during the crisis. All of these businesses were in some way related to the aviation industry and none were closed more than 48 hours after the event.

What key lessons can we learn?

Interestingly, around the time of this event occurring, RiskLogic was meeting with our partners Aon to understand the concerns around contractors on site for our clients:
- Are these contractors briefed?
- Do they know the precautions your staff usually take?
- Yes, they understand basic health & safety, but are they aware of possible major impacts to your business?
During our training session with the Greater Wellington Regional Council this month, we identified that on many occasions for New Zealand organisations, contractors are frequently on site. More and more organisations are outsourcing, that’s not unusual and can be a very efficient way of delivering a key business function.

As an organisation, you should consider a few things about your supply change or contractor:
- How effective and prepared is my supply chain?
- How briefed are our contractors?
- Could we afford complete downtime/offline mode for more than 24 hours as a result of something our contractors did?
The argument between the fuel lines contractors and the public is that a local farmer caused this event. The public, especially locals refuse to believe this as most media outlets are blaming the contractor. Its not uncommon to see finger pointing and passing the buck. However, as I’ve stated before if you were effected by this event and it resulted in an interruption to your services (whatever that might be), to your key stakeholders, the responsibility still lies with you. You have to have a contingency to deal with this.

The key lesson here is that your resilience plan should cross all areas of operation, including contractors and supply chain.

What can you do today to ensure you’re better prepared if something like this happens again?
- If you’ve got a Business Impact Analysis (BIA) time to dust it off and check your critical functions and what are the external dependencies. What does the delivery of those functions rely on from an external party:
- Name of the third party, do they still exist?
- Who is the primary contact?
- Have they got up-to-date site clearance?
- What is their level of resilience. Have they got a plan, have the validated it?
- If you haven’t got a BIA – get one.Think of some scenarios that may affect your external party and ask them how they would respond:
  - Another fuel crisis
  - A city-wide weather event, closing roads
  - Major power loss
  - Earthquake
  - Cyber event
- Create a desktop exercise to test your internal procedures, invite your contractors or supply chain to attend.
How we can all avoid it happening again?

Your Business Impact Analysis (BIAs) should be able to identify the potential risks and threats that may eventuate for your organisation. If fuel crisis isn’t on there, then it might be worth adding it. Both the Fuel and Aviation industry should have identified this event to be a potential risk back in 2011, but as no one wants to take the blame now, neither have proved they did.

Make sure you are not caught out by someone else’s shortcomings. You can get on top of this by taking a look at your current BIA today!

As I write this article we have seen yet another example of 3^rd party and supply chain disruption causing a major outage, check out my defence force article here: http://risklogic.co.nz/how-the-defense-force-was-hacked/

Until next time, Plan, Do, Check and Act…

Contact Us today to learn more
March 1, 2023
The Responsibility Falls on You, Not the Contractor
Are there contractors working on our site? If there are, then they should be categorised as our staff? Good response plans will always have an immediate response action checklist. Despite most organisations having different internal procedures and areas to focus on during an event, I would hope that they all follow a similar structure, something like this:

Safety & Wellbeing Check:
- Am I OK?
- Is my family OK?
- Are my colleagues OK?
- Are customers or visitors in the office OK?
These are all very relevant points but you need to be diving deeper into this, specifically with visitors.

You are responsible for everyone on site

Are there visitor-contractors working on our site? If there are, then they should be categorised as our staff.

Why should there be a difference between contractors and staff? After all, when I come to your site and train your staff, I’m a contractor…and I’m pretty important!

Maybe it’s time to start considering the following:
- Have contractors signed in and do we know their whereabouts?
- Have they done an induction that includes how we as an organisation respond to unexpected events, and what we expect from them?
– I recently visited a rail and coal client in Australia who presented me with a very professional and detailed video on their Emergency Plans. Amazing stuff (blog coming soon on that one)!
- Do they have a Business Continuity Plan? Do they have a back up to support us if they suffer a disruption?
- Can we stop them talking to the media if they turn up?
- Should we start to include them in our training sessions and scenario exercises?
We’ve seen this before

The recent Australian Defence Force Hacking was a prime example of why you need to know your contractor’s processes inside out. It also highlights that they don’t necessarily need to be onsite to impact the way you run your operation.

I bet few people can name the contractor in question who failed to put up effective defences to prevent a cyber-attack, but we all know that at the end of the day, the buck stopped with the Australian Defence Force!

Another prime example that recently came up in my training session was around how some CCTV footage and sensitive documentation is being left with third-party contractors. Again, if any of this was to be leaked, how would you respond?

Facial recognition for CCTV is currently being used by law enforcement across Russia and now the UK. Australia will adopt this technology as well should the rollout be effective.

However, in terms of practical use, it can be very shady technology. Similar to when you’re trying to tag your friends on facebook and it selects the wrong persons face. It’s still got progress to make which also makes it very vunerable to attacks right now.

Hacking a phone and laptop has never been easier, so where does the chain of connections end in your organisation?

How you should be dealing with them

I get it, it’s hard. It’s hard to get a contractor on the phone and ask them if they’ve got business continuity in place and if not, why not? But you need to do this. RiskLogic has provided basic, smaller Business Impact Analysis’ and Emergency Plans for our client’s contractors before and this is a positive, quick win in getting them aware and interested in business continuity.

Start with the basics:
- What information do they have?
- How are they storing it?
- What are their backups?
- What are their response plans like?
- How can you aid to protect yourself?
I’ll be spending a bit of time around this in the New Year as I believe there is a big gap in the resilience here. It’s important in New Zealand that we stay ahead of this, could you imagine how many contractors are currently chipping away in our small country right now?

Until then, plan, do, check & act…

Contact Us today to learn more
March 1, 2023