Over the past few years, RiskLogic has gained a reputation for providing truly unique and dynamic exercise simulations for organisations wishing to test their Business Continuity Program & resilience. Being able to understand how your team works when the pressure is on is vital, but being able to identify gaps and roadblocks that can occur during a crisis, probably more so.
Recently, RiskLogic sat down with Therese Chakour-West, the Information Technology Manager at STIHL Pty Ltd (STIHL) to revisit her experience in developing and validating a Business Continuity Plan (BCP) and attending an exercise.
STIHL established its name in the forestry and landscape world as far back as the mid 20’s. Today, they are now considered as the pioneers to petrol powered chainsaws and one of the most established brands in the market. Their chainsaws, handheld equipment, and tools are likely to be sitting in most handyman’s vans. When Mr. Andreas Stihl founded his company in 1926, it was unlikely he was considering the importance of a BC plan and running scenario exercises however. So why is it today, in 2016, a large majority still haven’t acted on putting something in place?
Therese and her team are considered as early adopters in this case. They saw a need for a review and action before anything serious happened, and this was endorsed by the parent company’s auditors!
“We’ve not had a BCP at all before, so that was an obvious key driver. We identified a serious gap for the operation and we had to act on it. The auditors asked for things like the Disaster Recovery Plan (DRP) and we didn’t have any plan to show them! They really applied the pressure, so we had to get something done and it was our responsibility to do so for our own subsidiary.”
It’s no myth that directors, CEO’s and Senior execs are being spoken to all the time about BCP’s and risks that the organisation faces. A key challenge is convincing them of the importance but then getting it underway.
“I had been trying to get it off the ground for many years. The previous MD didn’t quite see the value but with the auditor’s support and the current Leadership team support, I knew I could finally get something done here. The interest was already there for the DRP, but it was also the BCP we had to align. You can’t have one without the other. So, I just took it upon myself to get it done. You know, it’s funny, when I met with the Chairman of the board in July, I told him what we had done with the exercises, the DRP & BCP and this convinced him enough to report the importance of them back to the parent company and other subsidiaries. He just got that we needed to do it.”
When you are part of a very large organisation, it is easy to forget that many areas of the business have different risks compared to that of head office. Therese understood quickly that their plan had to be different.
“The parent company in Germany had their Disaster Recovery plan and it seemed obvious to use theirs. It didn’t take long to realise we had our own risks to focus on though. So, our procurement manager went to market and we found RiskLogic. That final Business Continuity Plan couldn’t have been handed down. It had to be unique for our three sites. It had to focus on our needs”.
“We’re a team of four full-timers here on the IT Crisis team (7 total members on the crisis team). It was a no-brainer to all of us we needed this in place, but it was getting the guidance to put a plan that worked into action”.
Those organisations that do not have a plan in place often ask themselves the same question, ‘what do we actually do if something happens?’ Most businesses will encounter at least 17,000 different versions and types of incident events each year (mostly small cyber attacks that fail); a vast majority of those will not have a BCP in place to deal with it.
“I asked myself that a few years back; if we have a crisis, what do we do? Who does what? Really, when you’re in that high-intensity situation – what are you going to do? We really were flying by the seat of our pants here”.
RiskLogic’s exercises focus on testing a business continuity program via realistic, hands-on scenario exercises. This is critical to:
1) Build familiarisation with staff roles, responsibilities, processes and available tools
2) Identify practical program improvements
3) Provide a high level of stakeholder assurance in an organisations recovery capability
At RiskLogic, we create event-driven, realistic scenario exercises, maximising participant engagement and providing a comprehensive, yet practical learning experience. We’ll even provide a Client with highly dynamic scenarios, utilising well-established exercise resources in a controlled exercise environment.
Over the last two years, we have run over 150 exercises and trained over 7,000 people on Business Continuity. A number of those organisations later went on to have a real life situation occur. They were able to successfully implement the plan they had originally rehearsed to deal with the situation.
Therese reiterated the importance of this, “You know, I’m keen to get these happening annually! Keeping the team refreshed because there is a lot of information, just keeping that awareness there”.
“The scenario was a real eye opener for us; it was unanimous. You’re really put under the same pressure you would get in real life. We were getting emails, phone calls and you know you really are just winging it by that stage.”
“I actually got a phone call from ‘The Herald Sun’ and thought what am I supposed to say to them? I actually put my foot in it and it was a huge surprise there. You don’t think that an emergency you’re dealing with could be going viral on social media, and that can really hurt the brand.”
“I also noticed we needed a lot of focus on the ground level people. Who is going to check on our staff? Do we know who on the crisis team should focus on our people and where they should be based? Do you stay in the office while all this happens? No, you get out and act and this simulation really showed the dynamics we can provide as a small team, it was really great”.
Recently, a pastor who had eaten at an Applebee’s restaurant in the US crossed out the automatic ‘18% tip charged’ for parties of more than eight and wrote “I give God 10% why do you get 18” above her signature. A waitress at the restaurant took a photo of this and posted it online. She was subsequently fired for “violating customer privacy” which would have been understandable if Applebee’s had not posted a similar receipt that was complimenting them just 2 weeks prior.
As news of this incident spread like wildfire and infuriated people across all social media platforms, Applebee’s responded with a short post defending their actions on their Facebook page. This quickly drew over 10,000 mostly negative comments, to which Applebee’s started responding by posting the same comment over and over again. They were also accused of deleting negative comments and blocking users.
The downward spiral continued as Applebee’s persisted in defending their actions and argued with users that criticised them. By the following day, after the original post had generated over 19,000 comments, Applebee’s decided to hide the post which only created more anger.
“Gosh, you just shouldn’t underestimate the importance of this. People, customers talking about your brand without you being aware could be so damaging. There is so much at stake” Therese acknowledged when we mentioned a similar example.
Since their scenario exercise with RiskLogic in June 2016, Therese is initiating an awareness session with the wider team. Her three other locations throughout Australia will adopt the same processes to ensure everyone, everywhere, is prepared – especially their Primary Crisis Team working out of the command centre in Melbourne. This is a fantastic step for STIHL to promote their resilience and innovative nature in the market, but maybe more so having the ability to show their staff and clients they care about this subject!
“I have so much more to learn, I’m no Crisis Management expert but I definitely feel more confident in my team and our readiness when the pressure is on”.