“….we fall to the level of our training”

The full quote, attributed to Greek philosopher Archilochus, is “We don't rise to the level of our expectations; we fall to the level of our training”.

Once upon a time an executive team might have days, possibly weeks, to ponder a problem and develop a response. In the 21st century they have minutes to identify the problem, push out a holding statement and start responding. They need to provide updates to staff, customers, shareholders, markets, and regulators who demand that action is decisive, swift, and precise. Expectations are high.

Being decisive, fast and precise under pressure comes from practice. We fall to the level of our training.

What is the delta between the expectation and the proven level of training in your organisation? Here’s a clue: if you hear people say “In the real crisis our start is always a bit disorganised, but we do scramble well” it is possible that confidence exceeds capability.

A useful model for developing your organisation’s capabilities is Plan/Prepare/Respond/Recover.

Let’s look at planning and preparation.

You’re an experienced risk manager who’s analysed your organisation’s risks. Controls have been established to reduce the likelihood and/or consequence of a realised risk to as low as reasonably practicable – but not zero.

What happens when the risk is realised? Now what?

A response is required. The plan you developed will help.

Or will it?

How do you know it will work? Did the assumptions you made in planning hold true? Will the resources you planned for be available? If you are not there, will anyone know what to do?

The critical bridge between “Plan” and “Respond” is “Prepare”. Preparation is the glue that holds the plan, and the people using it, together.

Deloitte published a useful paper in 2018 titled Stronger, Fitter, Better: Crisis Management for the resilient enterprise.  

Perhaps the most pertinent observation is that while executive teams reported confidence in their ability to respond, the rate of exercising to confirm that preparedness was low. Interestingly, the most obvious risks with the most obvious solutions were the ones people practised.

For example:

1.      IT System failure: 90% of respondents confident in their response and 50% had undertaken simulations

2.      Cyber-attack: 89% of respondents confident and 53% had undertaken simulation

In comparison, 88% of respondents stated they were confident to handle a corporate scandal. But only 17% of respondents had conducted an exercise using such a scenario. Similarly, the results for regulatory/policy change were 89% confidence but only 25% had practised managing such a crisis.

Deloitte posit that confidence outstrips preparedness. We agree.

Is your organisation practising the easy stuff, like problems where there’s an obvious, technical solution? Compare your organisation’s risk profile to its recent crisis exercises. Are your exercises related to the risk register?

The Deloitte study suggests that executives are more comfortable participating in an IT Disaster Recovery-related crisis or a cyber-breach response. Why are they less comfortable to participate in a corporate scandal scenario?

Perhaps they think such a crisis is a Black Swan. Some of our clients have said their executive is uncomfortable or believes it’s too difficult to deliver these scenarios in an exercise.

To the first point: Yes. It is (and should be) uncomfortable. If it is on your organisation’s risk profile it is something of concern. Would your CEO and Executive Team prefer to be uncomfortable in an exercise or under-prepared for reality?

With respect to being difficult to deliver, that is why you use an external provider like Tigertail. Designing plausible and realistic exercises requires special skill and experience. In our collaboration with you we develop:

  • opportunities for your crisis management team to practise using procedures and tools in the context of a complex problem

  • a safe environment to practise using procedures and tools

  • a collaborative environment for your executive and subject matter experts to test assumptions, recognise and manage biases

  • an exercise that is as controlled or dynamic as you choose

  • assessment criteria to inform an exercise report and assure the Risk and Audit Committee

Well-developed and run exercises validate your plans, reinforce good practice, refresh memories and rehearse responses. Your people, and your bottom line, will benefit.

Tigertail Australia has the background and experience to equip your organisation with skills to manage risk, crisis, and emergencies confidently and effectively. The Tigertail team includes crisis and emergency management leaders, business continuity specialists, risk management advisors, planners, and trainers with more than 150 years of combined experience, covering prevention and preparedness to response and recovery.

Author: Craig Moroz

W: www.tigertail.com.au T: +61 2 8907 1900 E: craig.moroz@tigertail.com.au

TIGERTAIL AUSTRALIA: CONFIDENCE / CLARITY / CONTINUITY

SA Water Executive Team Crisis Management Training and Exercise

SA Water Executive Team Crisis Management Training and Exercise

Pandemic Preparedness: Black and Grey Swans

The COVID-19 pandemic is unprecedented. This global crisis was completely unforeseen. It is a true Black Swan event. We could not have prepared for this crisis.”

While we put quotation marks around the remarks above - they are not attributable to a single person. Rather, they are a collection of sentiments heard in the media, online and in the streets.

We will firstly debunk the remarks, secondly provide an example of how a company with imagination and foresight actually, considered such a crisis in October 2019, and finally - ask you to consider an important question.

Unprecedented:

Although the impact of Covid-19 is unprecedented in our time, the fact that this pandemic has occurred should not be an unexpected shock unless we ignore hundreds of years of records of diseases such as the  Bubonic Plague, Polio, Smallpox, HIV/AIDS, and Influenza. Ironically, some commentators refer to the occurrence of this most recent pandemic (COVID-19/SARS-nCoV-2/HCoV-19) as ‘unprecedented’ while at the same time comparing it to the 1918 influenza pandemic. Pandemics have occurred before, so as such, are not unprecedented.

Unforeseen:

Even with respect only to epidemiology; we can consider the point above and recall quite recent responses to Bovine spongiform encephalopathy (aka ‘Mad Cow Disease), the 2002-2004 SARS-nCoV-1 (or SARS) epidemic and 2009-2010 Pandemic H1N1/09 Influenza (aka “Swine Flu”), and the ongoing concerns of H5N1 Avian Influenza, MERS-CoV.

Perhaps those quoted as referring to this pandemic as being unprecedented refer to the economic and societal effects of this pandemic, its’ global reach as well as to the tragic death figures

In anticipation of a future pandemic, Australia and New Zealand’s governments had a pandemic plan which included a whole of government response. New Zealand’s plan also considered industry participation and described work streams including health, economics, food, and transport. No doubt the government will review and update their plan as they consider the effectiveness of it in response to the current situation.

Black Swan:

By definition, a so-called ‘Black Swan’ event is one that is completely unexpected and unforeseen.

Some in emergency, crisis and business continuity management fields have started using the term ‘Grey Swan’. The motivations and expected benefits behind the creation of such a descriptor are not known. Given human history and the prevalence of disease, a global pandemic is likely to occur relatively frequently.

How can this COVID-19 pandemic be correctly considered to be a true ‘Black Swan’ event when many Governments, including Australia’s, have been undertaking some planning and creating regulations at least since the SARS pandemic?  Some business continuity practitioners, now using the term ‘Grey Swan’, have been discussing pandemics since before Swine Flu.

 A more correct statement:

COVID-19 is the latest pandemic which was reasonably foreseeable and amenable to pre-planning. Many governments and corporations, nevertheless, appear to have been caught unprepared or underprepared. They are now responding in real time to that which they previously avoided examining theoretically - either deliberately or through lack of knowledge.

The example:

Our company - Tigertail Australia created an exercise for the Executive Team of a financial services organisation of around 4000 staff across Australia and New Zealand. When other organisations were focused on data security and cyber breach related crisis exercises, this organisation decided to evaluate and test its pandemic plan. When we queried the theme we were informed that the CEO thought it appropriate.

Tigertail’s exercise was conducted in Australia during October 2019 and in New Zealand during November 2019. Corrective actions agreed with the CEO and Executive Team were timed for completion in January 2020. By early February 2020, that organisation had addressed areas to sustain, improve or fix issues identified through the exercise. Importantly, in response, the organisation enhanced its technology to enable all 4000 staff to work from home.

The initial scenario phase of the exercise considered:

  • Staff who had visited workplaces, customers’ businesses and trade shows while infected, but still asymptomatic, with a highly infectious disease acquired during a recent overseas study tour.

  • Involvement of various State (NSW and VIC) and National (NZ) health authorities

The assembled crisis management team (CMT) focused on these primary elements:

  • Immediate staff safety

  • Immediate customer safety

  • Reputation

  • Continuity of business

In the first phase a group of ‘Primary’ CMT members participated, and an ‘Alternate’ group observed.

The exercise was halted and the CMT was split into two teams. Each team had a mix of Primary and Alternate members. The exercise scenario was ‘fast forwarded’ by six months – the infectious disease had now become a pandemic. Despite their best efforts, the impact of the pandemic on their staff aligned to the wider community experience.

In the subsequent second phase, the two CMTs operated concurrently. Neither was permitted to speak with the other. That constraint was explained as “Either they are sick or have succumbed to the pandemic”.

The scenario had been developed to reflect:

  • A pandemic with a significant infection rate, disease reproduction rate and case fatality rate

  • Significant stock market index falls and loss of value

  • A double-notch decrease in the country’s credit rating

  • Potential of a decrease of the organisation’s credit rating

  • Significant stress on customer’s borrowings and increasing applications for relief under hardship rules

  • Significant stress on customers’ primary industries

  • A class action from the customers whose businesses had been disrupted at the outset of the exercise by the organisation’s infected staff

  • Staff entitlements to leave dwindling rapidly and some exhausted

In the debrief we facilitated the whole CMT identified that they had:

  • Learned that health and well-being of their staff is one stream of many in response to a pandemic

  • Noted that using data from their Business Continuity Management System assisted decision making regarding the prioritisation of resources

  • Seen the benefit of creating work streams to develop and manage short, medium, and long-term responses for staff, customers, community, regulators, and reputation

  • Noted that creating work streams offered time for the Executive Team to consider the strategic issues rather than becoming immersed in the operational response

  • Identified that while a pandemic response should become an important item on the agenda care should be taken to ensure that is not the entire agenda

That debrief was robust and the Chief Executive Officer and Chief Operating Officer overtly sponsored the agreed actions. When Tigertail met with the organisation again in February 2020 it was clear that the knowledge gained in October and November 2019 was driving informed questions focusing on what they may have missed.

The Question:

What are you going to do to ensure that you, your CEO, and your organisation are match-fit and crisis-ready?

Imagine being the CEO above; prepared and able, in February 2020, to brief your Board, industry peers, customers, staff, and regulators on pandemic preparations that had commenced in October 2019 – rather than telling them that “the crisis was completely unforeseen - a true Black Swan event – for which we are unprepared.”

Working with Tigertail would better enable your CEO to be able to state that:

“Yes [X Crisis] is unprecedented. However, through our ongoing diligence we have foreseen something like this happening and what was reasonably foreseeable was amenable to deliberate planning and preparedness. Of course, some of our plans will need to change. We are, however, ready to respond.”

Protecting your people, operations, assets, and reputation is paramount in a crisis or emergency. Tigertail Australia has the background and experience to equip your organisation with the skills to confidently and effectively manage risk, crisis, and emergencies. The Tigertail team has more than 150 years of combined experience. We cover everything, from prevention and preparedness to response and recovery. The team includes Crisis and Emergency Management Leaders, Business Continuity Specialists, Risk Management Advisors, Planners, and Trainers.

Author: Craig Moroz, Senior Associate, Tigertail Australia

W: www.tigertail.com.au   T: +61 (0)408 481 931 E: answers@tigertail.com.au

 TIGERTAIL AUSTRALIA: CONFIDENCE / CLARITY / CONTINUITY

Swan.jpg

Pandemic planning - what, when, how?

The world is watching as a tiny particle sweeps around the planet. Markets are worried. Governments are activating plans and preparing health systems. Smart businesses are taking steps to prepare for significant disruption.

What do businesses need to do?

Dust off the pandemic plan! And the business continuity plan. Think about vulnerabilities - people, supply chains, customers. Consider the measures you've got in your pandemic plan and your business continuity plan and how they are linked.

When should you start?

Now.

How do you prepare?

Be informed. Check out these resources. Talk to your staff, key suppliers and customers. Think about the impact that a really bad flu season has had on your business - then do some "what-if" thinking to help you prepare.

  • Ask for help if you need it - get an independent review of your plan.

  • Wash your hands properly and regularly.

  • Cough and sneeze into a tissue that you throw away, or if you don’t have any, into your elbow.

  • Stay in touch with authoritative sources, such as the State and Australian health departments.

  • Misinformation is spreading faster than the virus - help keep your staff safe by rejecting rumour promoting thoughtful planning.

corona-4881364_1280.jpg

COVID-19

Managing key-person risk

 All organisations, big and small, are built on their staff.  But for many reasons staff might not be available, either for a few days or weeks, or permanently.  They might win lotto; they (or their family) might get unwell or suffer an accident; they might get a better offer; or they might just want a change.  Whatever the reason, resilient organisations accept this as a continuity risk and plan for it.

 At Tigertail like many businesses we are experiencing rapid growth and change and have given this particular risk a bit of thought.  We manage key-person risk by taking a number of steps that we recommend all businesses consider:

  1. Document your policies, procedures, approaches and methods to allow others to quickly come up to speed

  2. Document project plans and workplans

  3. Provide regular progress reports

  4. Store project information, including background documents, research or consultation reports or data and draft deliverables where they can be easily found and shared

  5. Implement a robust peer-review process for proposals and deliverables

  6. Work in small teams and share the work wherever practicable

  7. Multi-skill staff wherever possible

 Managing the risk of staff dis-continuity makes good business sense.  Not only does it mitigate an obvious risk, it builds a collegiate environment and culture where staff support each other, ask for help when they need it, and take shared ownership of business productivity.

PC110708.JPG

Creeping crises–does resilience fit?

BCAW2019 - Investing in Resilience - by Rick Stone

I was flying over Warragamba Dam a few weeks ago and was struck by just how low 55% capacity really is.  Sydney Water says that levels across 11 dams in Greater Sydney are dropping faster than they have in decades.  Every week the city is using 0.4% of the storage (11 billion litres or enough to fill 4,400 Olympic pools).  The desalination plant has been turned on to supplement the city’s supply.  Rain over the Sydney basin in March means the city is green; but the catchment largely missed out.  So Sydney, along with most of the rest of the state, is suffering one of nature’s most insidious creeping crises—drought.

How is the concept of resilience relevant to a slow-burn or chronic hazard, like drought?  Organisations like to talk about being resilient, but what does this really mean?  Many businesses think a resilient organisation is one that successfully navigates disruption or chaos.  The focus is usually on acute impacts, such as flood, fire, fraud or flu.  Organisations attempt to prevent the problem, cope with it if it occurs, and adapt to a new normal (if they survive).  But it’s hard to measure the success of these programs: did the organisation survive because it had really good preventative strategies, or were they just quick on their feet with a response, or have just been lucky?

Another concept of resilience is “adaptability”.  Resilient organisations can be adaptable to shocks – the traditional acute impact; and they can also be adaptable to slower, less obvious stresses.  Farming is a good example—a resilient farmer needs to be able to adapt to the impact of a bushfire (acute) and a drought (chronic).  The challenge is to recognise the slowly evolving stress and respond early enough to minimise its impact.  These are difficult decisions—does the community invest in building an expensive water pipeline when “it might rain tomorrow”?  The Resilient Cities initiative, pioneered by the Rockerfeller Foundation, recognises the importance of adapting to both stresses and shocks.  Cities including Sydney and Melbourne have adopted resilience strategies that embrace this concept.  Businesses and other organisations can benefit from a similar approach.

Our communities, and the natural and economic environments on which they depend, face significant stresses.  As resilience practitioners, we need to ask ourselves; are we paying attention to the slowly evolving risks and politically complex challenges, such as climate change?  Or are we staying in the comfort zone of planning and practising for acute impacts?

Dam 2019.png

The computer's driving my car!

BCAW 2019 - Investing in Resilience. By Samantha Ford

Recently I attended the Disruptors Theatre during the Australian Healthcare Week Expo and sat in on a Case Study: Self-Driving Cars 101 – Health Haven or Death Dealer? presented by Prof. Michael Milford, Chief Investigator, Australian Centre for Robotic Vision at QUT.  The case study provided fascinating insight into self-drive technology that is emerging or already available in the marketplace.

Prof Milford described autonomous vehicles (AV) as having the potential to be one of the most disruptive technologies especially in the areas of public health.  His presentation explored the benefits, such as drastically reduced road death tolls, and potential negative effects such as increasing heart disease, impacts on business for insurance, liability, operability and the workforce.  One thing is certain; this technology will disrupt transport as much as the invention of the internal combustion engine.

Current standards and practice promote a risk-based approach to continuity planning by considering risks that have been identified for the business.  These business risks often include emerging technologies or other activities that provide an opportunity and a threat to the business.   

In our work with clients, we regularly see a narrow focus on traditional sources of disruption (e.g. utilities failure, flooding, loss of people, technology failure, etc).  To ensure our clients are prepared we advise them to consider identified risks and sources of vulnerability that are both generic to all industry and those that may be unique to their business. 

So, ask yourself the following during BCAW 2019:

·        What are the disruptive technologies or events that your industry is facing? 

·        Do you have a plan to manage it?

·        Is it documented?

·        Have you tested your assumptions and your plan?

If you need help answering these questions, contact the team at Tigertail for some assistance.

digital-cockpit-components-header.jpg

Welcome to Business Continuity Awareness Week 2019 – Investing in Resilience

By Matthew Harper

As a proud corporate partner of the Business Continuity Institute (BCI), Tigertail Australia is really excited that this year’s theme for Business Continuity Awareness Week is “Investing in Resilience”.

 We see resilience as the ability to bounce-back from disruption and to thrive in an uncertain world.  A resilient organisation is aware of the world around it, scans for threats and opportunities, and responds quickly when things change.  The fundamental building-block of resilience is people – people who are properly prepared and willing to do their bit.  Investing in resilience is investing in people; investing in policies, plans and procedures that help them do their job; and investing in practise to ensure they are match-fit and prepared for when things go wrong.

 One of the great things about our work is seeing organisations invest in resilience everyday; whether it’s a review, an exercise, a training program, or developing an emergency or business continuity plan.  To mark Business Continuity Awareness Week, we will look at different aspects of investing in resilience, starting with a glimpse at an innovative approach to exercising business continuity plans.

 Advances in technology are making computer-based simulations more accessible and cost-effective.  Today, you can use software to explore how your organisation might respond to a disruption.  You can build a model of your organisation’s people, assets and equipment, geo-located on a map, and test what happens if, for example, you lose access to a key supply route or location.  You can even test classical continuity strategies, such as establishing an alternate site, and confirm how long it might take to move staff and equipment.

 We recently used a computer-based simulation for a BC exercise in the ACT to model the “spare spaces” available to the business continuity team across Canberra.  We included all the important items, like computers and phones, then we identified the time and space constraints for moving people across the city.  This allowed the organisation to look at BC from the micro level (who sits at what desk) through to the strategic (what service objectives and capabilities could be met at what times).  The simulation allowed the continuity team to explore options and workshop alternative approaches in real time.  It identified resource choke-points and gaps.  And it helped the team build confidence in responding to disruption.

 How is computer-based simulation an investment in resilience?  It’s a cost-effective way to build an exercise where:

·        an entire continuity team can practise responding;

·        teams can model alternative approaches;

·        time, space and resource constraints are real; and

·        reviews are supported by objective data

Please contact us if you want to learn more about using computer-based simulation to build resilience.

BCAW.jpg

Donuts + Exercises + Virtual Reality = Resilience

Matthew Harper doubts that he will win the Nobel Prize for mathematics for that discovery but for the 2019 Business Continuity Awareness Week, I am sure we have a winning formula for our BCI ACT forum meeting this week.

 This year's theme is "Investing in Resilience" so we have looked at three very different ways and different speakers to talk about their investment.

  1. Angela Friend of the ACT Chief Ministers Directorate will talk about their ambitious two year, eighteen exercise program and the recent evacuation/continuity functional exercise

  2. Our special guest will be Danijela Vrkic of Krofne Donuts.  Krofne is a social enterprise that provides meaningful employment for young adults in Canberra in the production, sales and distribution of what are possibly the best donuts on earth.

  3. We will also have the Canberra launch of the FLAIM Systems extinguisher (www.flaimsystems.com), a revolutionary new way to train anyone to use a fire extinguisher in complete safety and with real scenarios.

 Between Yellow Edge and Tigertail Australia we will provide a magnificent afternoon tea, featuring the great Krofne Donuts.

 Attendance is free to all following registration.  See you there! 

https://www.eventbrite.co.uk/e/bci-act-forum-bcaw-2019-event-3-ways-to-invest-in-resilience-tickets-61492329212?utm-medium=discovery&utm-campaign=social&utm-content=attendeeshare&aff=esli&utm-source=li&utm-term=listing