Born To Be Wild

Blog

  • Pick me! How to select a team member when the talent pool is extraordinary

    Pick me! How to select a team member when the talent pool is extraordinary

    Here is a challenge, which may also test your unconscious bias.

    If you had to appoint one person to manage your crisis management or business continuity strategy, who would you go with?

    1. A former police forensic scientist who worked in INTERPOL’s Counter Terrorism and Emerging Threats Directorate, with commendations from the FBI and the US State Department.
    2. A former Australian Army officer with Honours Degrees in Biomedical Science and Biochemistry who has conducted health support operations in Australia, PNG and Bougainville.
    3. A senior risk and resilience specialist with ten years in the oil and gas industry in Canada and the Middle East, a Degree in Human Geography and Criminology and a Masters in Science, Security & Organisational Risk Management.
    4.  A certified Business Continuity Practitioner with a decade in business resilience and crisis management in the telecommunication, insurance and finance sectors, including experience in South East Asia.
    5.  A former senior Australian diplomat who has supported Australia’s crisis response to events in Iraq, Syria, Bangladesh and Nepal, including service in Australia’s Embassy in Afghanistan.
    6. An MBA qualified banking and finance executive, with 11 years across Westpac and NAB, with deep networks in boards and executives across Australia’s largest listed and private companies.

    It is such a tough decision to choose only one, right?

    The good news is, RiskLogic now has all these people on our national team, with six new appointments and promotions.

    And if you pictured six highly qualified men, think again, because all these appointments are women.
    Not only have they brought an extraordinary diversity of experience to the team, they also build on RiskLogic’s gender diversity and reinforce the value of having highly skilled women at the helm in crisis situations.

    They provide our clients with an unparalleled depth of capability and ‘lived experience’ in business continuity and crisis, incident and emergency management.

    So who are these talented women? Check out their full credentials on LinkedIn here:

    1. Dr Rebecca Hoile, our new Senior Manager, Resilience in our new Adelaide office
    2. Briony Morgan, promoted internally to Senior Manager, Resilience in our Queensland team
    3. Joanne Costa (nee Hill), promoted internally to Senior Manager, Resilience in our Victorian team
    4. Razia Namazie CBCI, AMBCI, our new Senior Manager, Resilience in the NSW team (returning to RiskLogic after previously working here in 2012-13)
    5. Jessica Petersen, our new Manager, Resilience in our Victorian team.
    6. Vanessa Jaber, our new National Client Engagement Manager

    If you need help or advice in business continuity or crisis management and want to tap into the skills and experience of these extraordinary people, start a conversation with us today.

  • 5 reasons why you should have a business continuity plan

    5 reasons why you should have a business continuity plan

    What happens if a cyber-attack shuts your systems down for days, weeks or even months? How are you going to contact your staff, stakeholders, suppliers and customers? What will be the most efficient way to get your operations back to business as usual? If you don’t have the answers this, then you don’t have a Business Continuity Plan.

    Whilst you may not be able to predict every kind of event or incident that could occur, a Business Continuity Plan will help you prepare for and recover from the most likely events or incidents you could face. The lack of a Business Continuity Plan may have severe impacts on your business operations and could affect your financial viability and reputation.

    If you’re still putting business continuity planning into the ‘too hard’ basket, here are 5 reasons why you should move it to the top of your priority list.

    1. Minimise downtime
    The primary purpose of a Business Continuity Plan is to minimise downtime. Whether you suffer from a natural disaster or a ransomware attack, the best way to stay in business is to continue business-as-usual operations as soon as possible.

    2. Continue business-as-usual operations
    Some Business Continuity Plans allow the business to continue business-as-usual operations during an incident by including back-up and recovery sites. These are off-site areas where critical business functions can operate from, regardless of damage or inaccessibility to the usual site.

    3. Communicate confidently
    In the event of an incident, you will want to establish order amongst the chaos. A Business Continuity Plan will outline a chain-of-command delegation of responsibility and outline reliable communication channels.

    4. Compliance
    Some industries require a business to have a well prepared and tested Business Continuity Plan to comply with industry regulations. Industries such as insurance may offer lower premiums for businesses with a robust plan.

    5. Your reputation matters
    When things go wrong, your shareholders, customers and the public will be watching very closely, and in the absence of information, they automatically assume the worst  The speed and effectiveness of your response could make or break your reputation.

    There’s no time like the present to prepare a Business Continuity Plan for your business or review your existing plan. If you need any help, reach out to our experienced consultants. Having helped hundreds of clients since 2005, we do know a thing or two about Business Continuity Planning, so start a conversation today.

  • Building APS910 compliance into Business Continuity Plans

    Building APS910 compliance into Business Continuity Plans

    Following the Global Financial Crisis (GFC) in 2008, the Australian Government introduced the Financial Claims Scheme (FCS) to protect depositors. The Prudential Standards APS910 – Financial Claims Scheme released in 2013 required Authorised Deposit-Taking Institutions (banks, building societies and credit unions – referred to as ADIs in this article) and general insurance companies to implement measures to ensure it is adequately prepared, should it become a declared ADI for Financial Claims Scheme (FCS) purposes.

    In recent years, APRA has conducted a range of activities designed to strenghten and facilitate improvement in ADI’s FCS operational preparedness levels. These activities comprised of prudential reviews, an FCS readiness survey and benchmarking exercises to review APS910 audit reports and CEO attestations. These observations highlighted gaps, leading APRA to make recommendations for improvement in APS210 to support further operational maturity.

    What is APS910?

    APRA Prudential Standards APS910 – Financial Claims Scheme (FCS) is an Australian Government initiative that protects depositors of authorised deposit-taking institutions and policyholders of general insurance companies, from potential loss in the unlikely event that one of these financial institutions fails. The scheme ensures that depositors do not lose their deposit, but rather be paid out by the Australian Government. Under the FCS, deposits are protected up to $250,000 per account holder at each ADI. For insurers, the Australian Government will cover up to $5000 of valid claims per policy holder. Claims above $5,000 are also covered under the FCS for eligible policyholders and certain third parties.

    If the FCS is activated by the Australian Government, APRA will be responsible for administering it within 7 calendar days. For APRA to administer the FCS within this timeframe, ADIs need to provide APRA with key details of account holders within 48 hours.

    Who does it affect?

    APS910 applies to ADIs such as banks, building societies, credit unions and general insurance companies. A comprehensive list of Authorised Deposit-Taking institutions are available on the APRA website.

    Who is ultimately responsible for APS910?

    The Board and senior management of an ADI are ultimately responsible for ensuring that appropriate policies and procedures are in place to ensure the integrity of the operations, internal controls and information required under this Prudential Standard.

    Why is it important now?

    Whilst APS910 is not new to ADIs, compliance should be reviewed following an APRA recommendation that resulted from the Banking Royal Commission. The recommendation, supported by the government, introduces the Banking Executive Accountability Regime (BEAR). The BEAR is responsible for all steps in the design, delivery and maintenance of all products offered to customers by the ADI and any necessary remediation of customers in respect of any of their products. Furthermore, updated technical questions on the Financial Claims Scheme were published on the APRA website on September 2018, indicating a focus on ADIs and their compliance.

    What do you need to do to comply*?

    APRA emphasises five major areas that ADI’s need to address in order to ensure compliance with APS910.

    1. Financial Claims Scheme Framework – ADIs should review FCS governance procedures to improve Board and senior management awareness and oversight (accountability and responsibility) as well as including FCS related components in an appropriate risk management framework. ADIs should also review and update operational FCS plans and integrate them with other relevant crisis related plans where appropriate.
    2. FCS Testing – ADIs should ensure internal FCS testing occurs, at a minimum, in line with APRA’s testing schedule. Test results – including shortcomings with FCS-related systems, processes and reporting as well as respective causes – should be documented, along with remediation plans and timeframes.
    3. Data Integrity – ADIs should thoroughly investigate and analyse FCS reporting and testing results against clearly defined tolerance levels. Timely reconciliations and checks should be performed with the generation of each report with tracking of issues, and a remediation plan linked to the risk management framework. ADIs should work to reduce exception numbers and values to acceptable levels that are within the tolerance set by the ADI.
    4. Reporting – ADIs must take steps to ensure systems have the capability to be updated to reflect account holder balances post FCS payments.
    5. FCS Communication – ADIs should examine the FCS information currently contained on their website and in PDS documents to ensure it is accurate, up-to-date and easily accessible. ADIs could also consider the positive benefits that FCS protection offers account holders and help to facilitate this messaging.

    APRA has clarified that systems capacity, communications and testing requirements are to be in line with business continuity planning arrangements. If you haven’t reviewed your compliance to APS910 and see how it can be integrated into existing Business Continuity Plans. Reach out to our experienced consultants today.

    Sources

    APRA Financial Claims Scheme
    APRA APS910
    Federal Register of Legislation
    *This section is contributed by Amy Mallick, RiskLogic Resilience specialist

  • Why is the value of social media in a crisis still being ignored?

    Why is the value of social media in a crisis still being ignored?

    It astounds me that so many businesses still don’t grasp the importance of using social media as a critical communication tool to both listen and talk to their stakeholders in a crisis situation.

    Either they still don’t understand social media (umm…..it has been around for more than a decade), or they are simply too scared to use it (possibly fearing a pile on).

    The simple fact is, the community will pummel you on social media regardless of your lack of engagement. And then a second time because of it.

    I also question why businesses do the right thing by providing a media interview or statement, but then fail to post it on their own website. Why wouldn’t you publish your message where everyone can read it, in full and unfiltered, rather than relying on the media to tell your story?

    During this year’s ski season, a chair fell off the Gunbarrel Express chairlift at Thredbo Ski Resort. Luckily the single passenger on board suffered minor bruising only. Which was extremely lucky.

    Thredbo put out a media statement to say it was caused by “a freak gust of wind”. They did the right thing by posting the statement on their Facebook page, but then totally ignored the 470+ comments that followed, and the hundreds more on Twitter and other online ski forums.

    Many of these comments seriously questioned the safety of Thredbo’s lifts, including a very nervous passenger who witnessed the incident from the discomfort of the following chair:

    This post had a very sensible suggestion. It should have been one of Thredbo’s key messages:

    Not engaging on social media in a crisis is a serious blind spot.

    If a communications advisor doesn’t include social media as an integral listening and response channel in a crisis communications response, you need to find someone else for the job.

    Although in defence of communications professionals, sometimes executives or members of a crisis management team think they are more qualified in communications and overrule recommendations to engage.

    In that case, they get what they deserve.

    One of my favourite mantras in crisis communications is: “In the absence of information, people automatically assume the worst”

    It is basic human psychology, the power of which should never be underestimated in a crisis.

  • Schools in lockdown – How we move forward

    Schools in lockdown – How we move forward

    In late August 2019, The Ministry of Education shared their outsourced review on the city-wide  Lockdown during the 15th march events.

    This 84-page report covered some key areas of consideration including:

    • the quantitative results of their research;
    • timeline of events;
    • stakeholders and current policies;
    • Canterbury survey results, and
    • the MOE’s Emergency Management Plan template.

    With this significant review now complete, many educational precincts have plenty of formal problems to review, with few solutions.

    In association with CQCommand and Linwood Avenue School, over this 30-minute webinar, RiskLogic will focus on the demands of People Welfare (both students & stakeholders) and overcoming mass-communication in similar events. Focus areas will include:

    • blind spots, case studies, and lessons learned (in line with the report);
    • key takeaways and actionable steps from the report;
    • what your next steps should be right now.

    We are joined by:

    • Principal Blair Dravitski of Linwood Avenue School to provide his experiences on the close proximity of the Linwood Mosque attack, followed by his handling of the excessive media attention.
    • RiskLogic’s National Operations Manager & Resilience specialist, Cheryl Hambly who brings with her two decades of knowledge within the educational sector.
    •  Brad Law, RiskLogic Country Manager who had an active part in supporting our Christchurch based clients during the lockdown. With his extensive experience in mass-communications and crisis management, he will lead the discussion and share direction for schools throughout New Zealand following this report.
  • Deepfake voice generation now being used by cyber scammers

    Deepfake voice generation now being used by cyber scammers

    Remember the scene in Terminator 2 where Arnold Schwartzenegger (playing the good cyborg) mimics John Connor’s voice on the phone to talk to his mum (who was being mimicked by the bad cyborg)?

    Well science fiction appears to have become science fact, with the emergence of a new fraud in Germany involving deepfake voice generation.

    The Wall Street Journal has reported a case where a scammer called the CEO of an energy company and impersonated the CEO of the parent company, duping him into urgently transferring €220,000.

    The case has highlighted how AI can now be used to machine learn from existing audio files to accurately mimic someone’s voice, right down to their accent and tone.

    For CEOs and media spokespeople who are regularly on TV and radio, it is especially disconcerting.

    The company has not been named, but their insurer, Euler Hermes Group SA, has outlined the details.

    As our Head of Cyber Security Daniel Muchow says “if you don’t expect it, you should suspect it”.

    “We have seen plenty of examples of this via email, where CFOs are targeted by their ‘boss’ to urgently transfer a critical payment, but this takes it to the next level,” he said.
    “There is no end to how far hackers will go to convince you or your staff to hand over company money.”

    “While some of them target the biggest businesses with the deepest pockets, others target businesses that may have less sophisticated checks and balances in place.”

    “The big lesson here is, if a payment is urgent or out of the ordinary, take two minutes to pick up the phone and check it out.”

    If you want to discuss your level of Cyber response preparedness, contact RiskLogic to find out how.

  • Is your business resilient to Grey Rhinos and Black Swans?

    Is your business resilient to Grey Rhinos and Black Swans?

    The animal kingdom seems to be used more and more as a metaphor and symbol of human behaviour, both physically and psychologically. There are elephants in people’s rooms and black sheep roaming within people’s families and social groups.

    Yet in the business of risk and resilience, we find ourselves facing two other animals – the ‘Grey Rhino’ and the ‘Black Swan’. The ‘grey rhino’ is a known risk or threat that people chose not to act on despite the potential for harm. It is seen as something that is present, with a series of warnings – an event that is both highly probably yet somehow neglected.

    In business, this can translate to those things that directly or indirectly impact everyday operations and services including, outdated policies, conflicting procedures and practices and ongoing disputes.

    By comparison, the ‘black swan’ is an event that cannot be predicted, appears seemingly out of nowhere and has a profound effect across a multitude of sectors. Examples include, the 2008 Global Financial Crisis, Japan’s Tsunami and Fukushima Daiichi nuclear disaster, terrorist attacks like 9/11, and the 2019 Christchurch shootings.

    Globally, grey rhinos are being taken more seriously, with many politicians and world leaders quoted in the media, describing economic and political instabilities as ‘grey rhinos’ in the distance. The lesson we can take from this type of media exposure, is to use the opportunity to envision the grey rhino risks within our own businesses, identify the likelihood and scale of their impact and prepare adequate business recovery strategies.

    Keep in mind, protection from grey rhinos is more than just a physical one. The impact of a problem that was apparently in front of you the whole time, may have cascading consequences, impacting your business culture, brand and reputation.

    In terms of risk management resources, many have argued that one cannot dedicate time and resources to preparing for a Black Swan event, however, taking the time to identify the grey rhinos, and strengthening your resilience through crisis management and business continuity, will surely build a foundation from which you can react and recovery from a Black Swan that might land on your doorstep.

    If you want to discuss your level of resilience preparedness, contact RiskLogic to find out how.

  • Maintaining business continuity in a fuel crisis

    Maintaining business continuity in a fuel crisis

    The recent drone attacks on key oil installations in Saudi Arabia highlight the risk of disruption to world oil supplies. While the damaged Abqaiq refinery produces only 5% of global fuel supplies, around 90% of Australia’s imported fuel comes from the Middle East. An extended disruption in the Middle East would impact Australia’s fuel supplies

    Multiple threats to Australia’s liquid fuel supply chain make businesses particularly vulnerable in a fuel emergency. Threats to our fuel supply include natural disasters, political instability, declining onshore refining capacity, as well as cyber and terrorist attacks. Ports receiving fuel are additionally subject to disruption from severe weather, accidents, equipment failures, industrial action and delays.

    What happens if Australia runs out of fuel?

    Disruptions to any stage of the fuel supply chain can have a significant flow-on effect to the business community. In 2015, aircraft at Melbourne Airport had to be rescheduled and refuelled at another airport due to the late arrival (by 3 days) of fuel ships1. In December 2012, when the Altona refinery was closed for scheduled maintenance and Victoria’s second refinery in Geelong was unexpectedly shut down due to electrical problems arising from a storm, many retail outlets in regional Victoria ran out of fuel quickly and were without diesel, and many Melbourne outlets were similarly affected2.

    Under the Liquid Fuel Emergency Act 1984, the Australian Government has the authority to prepare for and manage a national liquid fuel emergency. Each state and territory also has arrangements in place to deal with liquid fuel emergencies within their respective jurisdictions.

    Protecting business continuity
    The reality is, in a fuel emergency, the management of available fuel will be out of the control of individual businesses, even those who consider themselves ‘essential users’. Will your organisation be able to carry on business as usual if your staff are unable to get to work or fly out for important meetings? Does your business have the technology to carry on the business with staff working remotely?

    business continuity management plan that addresses a major fuel shortage is essential. “Fully assessing and understanding your company’s exposure to supply chain disruptions is the first step towards resilience and business continuity”, says Ben Patrick, Regional Manager at RiskLogic. “Thorough Business Impact Assessments (BIAs) will identify the dependencies within your supply chain. A detailed understanding of the associated critical business functions will form your business risk profile. In turn, appropriate strategies can be developed and tested using real-world scenarios. This is how you develop business resilience and capability in the face of a crisis.”

    Businesses in Australia are predicted to be dependent on oil until at least mid-2030, with the ever present risk of a major disruption to liquid fuel supply. Sound business continuity planning and staying informed about government fuel priorities is essential. The Department of the Environment and Energy’s Liquid Fuel Security Report – due for release in 2019, will set out the Government’s priorities for fuel usage. This report will be essential for businesses to help them understand the potential implications on Australia’s supply chain if there is a fuel crisis.

    To assess the effectiveness of your business continuity plan, or to develop a plan, contact RiskLogic to find out how.

  • APRA’s information security requirements: is your organisation prepared?

    APRA’s information security requirements: is your organisation prepared?

    With one in 10 Australian businesses reporting an internet security incident breach1, effective management of increasingly prevalent and sophisticated attacks on information is critical. Australian regulators have also begun tightening data management, cyber resilience and information security requirements with APRA’s standard CPS 234.

    The new standard, which came into force on 1 July 2019, clarifies steps organisations need to take regarding board oversight, information security controls and notification of information security incidents. For those organisations whose information assets are managed by third and related parties, the new APRA obligations will begin from 1 July 2020 (or the date on which the relevant third or related party arrangement is renewed or materially updated).

    Establishing a clear information security framework

    To be ready for 1 July 2020, regulated entities such as authorised deposit-taking institutions (ADIs), superannuation funds and health insurers (that rely heavily on external providers for information management), need to start establishing an appropriate framework now.

    ‘Assessing and reviewing the adequacy of the information management service provider is an essential first step in establishing a new or updated framework,’ says Daniel Muchow, Head of Cyber Security at RiskLogic. ‘The framework must also show clear ownership and accountability for information security tasks and functions, clearly define escalation paths and thresholds, and establish compensation measures.’

    Detecting and responding to information security incidents

    Under CPS 234, the APRA entity must also have robust mechanisms and plans to detect and respond to potential information security incidents. ‘Organisations need to be prepared for a worst-case scenario. Even the most rigorous control testing or the most sophisticated encryption protocol can be subject to attack with potential loss of information,’ says Mr Muchow.

    CPS 234 applies to all information assets, not just personal information or data. This includes software, hardware and hard and soft copies of data regardless of materiality. ‘Even if an organisation considers an asset immaterial, a cyber attacker could use this asset to compromise assets with higher levels of criticality and sensitivity,’ confirms Mr Muchow.

    Notifying APRA

    Under CPS 234, all APRA-regulated entities must notify APRA of any information security control weakness or information security incident:

    • that is material, or
    • has been notified to any other Australian or foreign regulator.

    This is required even where information assets are being managed by a third party.

    The APRA regulated entity must notify an information security incident to APRA within 72 hours after the APRA entity becomes aware of the relevant incident or vulnerability. This reporting obligation reinforces the importance of rigorous protocols when working with third parties to ensure information security incidents are communicated to the contracting organisation in a timely way.

    Following the Financial Services Royal Commission of 2018, we anticipate that APRA will rigorously enforce the new standard. Organisations using third party providers will need to be particularly vigilant to ensure there is a clear framework to enable compliance with APRA’s new standard.

    For help protecting your information under APRA’s CPS 234, contact RiskLogic on 1300 731 138 today.

    Visit the APRA website for more information on CPS 234.

  • Don’t shoot the canary in your coalmine

    Don’t shoot the canary in your coalmine

    Some people grumble that the advent of social media has increased the risk of bad publicity for businesses because it only takes one grumpy customer with a smart phone and an Instagram following to create a damaging pile on.

    While this is true to an extent, it ignores one of the major benefits of social media.

    That is, complaints, negative comments and bad reviews on social media are free market research for businesses who may otherwise be oblivious to problems at customer level.

    Twitter’s little blue bird really should be bright yellow, because it is like a canary in a coal mine. It is very easy for businesses to monitor the canary, identify emerging problems and fix them before they become costly.

    So if a canary in your coal mine starts tweeting negatively, don’t complain about unfair damage to your brand reputation. Instead, listen, be grateful and do something about it before it explodes and turns into a communication nightmare.

    What if the complaint is totally unfounded or unreasonable? Well, some battles just aren’t worth fighting. You should respond respectfully, demonstrate your great track record, bust any myths and move on with your day.

    And don’t forget what it was like in the “old days” when you were 100% beholden to the traditional media in a crisis. After a lengthy media conference, you would hope and pray that the media used just one grab to tell your side of the story.

    Don’t get me wrong, traditional media is still very important and powerful, but social media allows you to communicate to your stakeholders directly, in full and unfiltered.

    You just have to make sure your message is transparent, authentic and relevant to those at the coalface.

    For a well prepared response, you’ll do well to include social media into your crisis communications plan – being prepared means you’ll hit the ground running when a crisis hits. If you need help with your communication strategy or communication plan, start a conversation if our team today.