Risklogic

Social Media: to Tweet or not to Tweet!?

April 29, 2011

Written by Grant Davis, Lead Consultant, Business Continuity 

In a time where society demands instant access to information, the traditional means for organisations to communicate with clients and stakeholders via email or snail mail is no longer sufficient. It’s not enough to communicate urgent information via a media release, which you hope will be picked up on radio or in print media. Gone are the days when it was acceptable for organisations to inform clients of an incident via tomorrow’s papers. Society now requires permanent, continual access to information. We need to be informed in ‘real time’. We don’t like being ‘out of the loop’. A daily flick through the Sydney Morning Herald, to read yesterday’s news is way behind the eight-ball. 

In an era where internet-ready devices appear permanently attached to ones palm, social media sites like Facebook and Twitter are now the go-to places for information and conversation. Few people, especially among generation X and Y, do not have a Facebook account. In fact, over half a billion people around the world now admit to accessing Facebook almost daily. The 150 million Twitter uses around the world are also growing at a rate of more than 370,000 per day! And the number of organisations and businesses now actively participating in social media is rapidly increasing. 

Numerous organisations around the world are now using social media sites like Facebook and Twitter for marketing and advertising purposes. Some organisations are even dedicating entire teams to it. Now it’s almost hard to NOT find and follow your favourite brand on Facebook or Twitter. In fact, my latest friend on Facebook also happens to be the same retail outlet I bought my last pair of jeans! But companies advertising on social media, or proactively participating in social media for marketing purposes is not new. What is new, however, is the apparent advantages (or disadvantages) of organisations by participating or not participating in social media. If managed properly, social media can be a very quick and effective tool for organisations to communicate very important information and messages. Instant communication to your network of stakeholders is only a Tweet away! 

Recent events from around the world have shown how sites like Facebook and Twitter are widely used in times of crisis. Think of the first thing you heard about the Christchurch earthquake or the first images of the Japanese tsunami. Chances are that information or visuals were sourced directly from Twitter users who ‘posted’ their experiences within minutes of it happening. 

Following the recent Christchurch earthquake, some Twitter users posted information about the event and pictures of the devastation within four minutes of the tremors. Eight minutes later, media outlets published their first stories. Such is the pace and accessibility to real-time information. 

So how do organisations best utilise this pace and accessibility? Many organisations around the world are using social media during crisis events to great effect. When incidents like an earthquake or tsunami occur, more often than not telecommunications and power is cut. Traditional communication via landline or email may not be possible. Most people, however, seem to retain the use of their mobile phones, and even though some networks may be down, ‘Tweeting’ your experiences or ‘updating’ your status always seems possible. 

It might be a little early to comment on how different organisations used social media during recent natural disasters, however looking a little further back, most would remember the Icelandic volcano early last year, which caused an massive ash cloud and led to the biggest European air travel disruption since World War II. 

Huge quantities of ash and rock spewed into the skies above most of Europe. It was even reported to have reached as far away as the Middle East. This forced the closure of almost all the airspace and airports across Europe. 

Two similar organisations whose customers and operations were directly affected by the crisis were airlines KLM and Air France. These organisations perfectly represent the example of how TO and how NOT TO use social media in times of crisis. 

Case A)

KLM

In the lead up to and during the European ‘Ash Cloud Crisis’, KLM worked tirelessly to ensure their social media monitoring and management activities were up to date. In fact, KLM dedicated an entire PR and communications team to work a 24/7 roster to constantly maintain their official Facebook and Twitter sites. They provided regular updates on travel activities and restrictions and spoke with concerned customers using social media. KLM actively participated in blogs created by others and didn’t delete any negative comments. They were dedicated to providing a constant stream of information.

During and following the ‘Ash Cloud Crisis’ the net effect to KLM from all this activity was obvious. Almost no negative press or damaging social media activity regarding KLM was recorded, customers were relatively happy and informed and there was little to no brand or reputational damage. KLM came out of the crisis with a glossy, professional appearance that set the organisation up to retain loyal customers and increase their market share.   

On the other hand…….. 

Case B)

Air France

Air France took a very different social media approach during the ‘Ash Cloud Crisis’. The official Facebook and Twitter accounts of Air France across Europe were barely updated during the crisis. Both platforms registered almost no activity in the six months leading up to the crisis. In fact, during the crisis the only official activity from Air France on their sites were from individuals within the organisation without direct responsibility for managing the sites who were tasked with deleting any negative comments posted by users – the biggest no-no in social media management. Today if customers cannot communicate with organisations via the phone or their website, they will typically head online and investigate social media sites like Twitter and Facebook for an update of what’s going on. If these ‘official’ sites have had no updates or communication offered to their ‘friends/followers’ people begin to feel they are not being given the information they require, especially when it comes to things like travel arrangements. In Air France’s case, no updates were posted on any of their official sites, leaving customers with no information. 

Obviously this did not bode well for Air France. Uninformed customers are not happy customers, especially during uncertain times.  Needless to say, Air France received some very negative and damaging publicity – the exact thing executives were obviously trying to avoid by not posting comments or updates on social media sites. Hundreds of social media users reported changing their flight plans with Air France, many of which moved to the very accommodating KLM! “Never flying Air France again” was not an uncommon status update following the disruption. Air France has now reported a decrease in market share and revenue following the crisis, while other similar organisations (KLM for example) have reported no significant losses or changes to revenue predictions. 

Given the amount of attention paid to social media, not just day-to-day, but during a crisis, it makes sense for organisations to actively participate. But organisations must have clear parameters and policies in place. 

Clearly there are risks that the ‘publically displayed’ information on these sites can be damaging. One well-worded negative Tweet can have huge reputational impacts. Whether it’s a negative comment posted by a disgruntled customer, or a misguided/unendorsed posting by an oblivious employee, there are reputation risks. However, it is much better to be in a position to participate and respond to negativity posted on the web, rather than have it blindly snowballing behind your back. Organisations who decide to proactively participate in the use of social media for marketing or crisis communication purposes should first ensure boundaries.

That is:

  • A policy should be developed that is endorsed by the Board and educated to staff to highlight the organisation-wide ‘Do’s and Don’ts’ of social media participation.
  • Involvement should be restricted to a dedicated person or team.
  • Those involved should be given the appropriate training in media communications and public relations.
  • Any statements, Tweets, status updates, blogs etc should be approved at the appropriate level before release.
  • Organisations should respond to, and most importantly, not delete any negative comments posted by users.
  • Organisations should increase/expand their participation in social media monitoring and communication during times of crisis.
  • Organisations that do decide to utilise social media should do so with the same amount of precaution they would dedicate to any external communication. Consideration should be given to incorporating social media participation and communication into the organisations operational risk management activities.
  • Organisations should consider social media when developing and reviewing plans for crisis communication. Business Continuity plans should provide clear instructions and strategies for the use of sites like Facebook and Twitter. Although they may not be the primary means of communication, they can be a very effective secondary source of communication to an organisations networks and stakeholders. 

Many organisations around the world have made the strategic decision to endorse social media primarily for marketing and promotional opportunities, and increasingly as an additional means to communicate to their networks. Given a recent report that suggested the current number one fear of C level executives is brand and reputational damage from negative social media publicity, it is imperative that its use is supported by a set of clear and internally promoted policies – all of which have been endorsed at Board level. 

Like any business activity, if effectively managed, social media can be a huge opportunity for any organisation. Tread carefully and the rewards can be great.

Posted by jshields | Filed Under News | Comments Off 

Changes to Emergency Management Training

April 29, 2011

Written by Kara Smith, Lead Consultant, Emergency Management 

The January 2011 issue of Risk eNewsletter included an article on the key changes to the Australian Standard 3745, “Planning for Emergencies in Facilities”, and the impact this might have on your organisation. Greater emphasis is placed on emergency management training as a result of these changes. During an emergency, the smooth operation of the emergency guidelines outlined in AS 3745-2010 is only achieved if all wardens and other occupants know what is expected of them. Therefore it is necessary to educate, train and develop periodic exercises to test the organisation on the procedures and evaluate staff responses. 

The new standard details the training requirements for all persons involved in the emergency management program, as well as facility occupants. According to the new Standard, training is required: 

  • For at least one member of the Emergency Planning Committee (EPC), to enable the EPC to competently execute their obligations
  • For the Emergency Control Organisation (ECO)
  • For facility occupants 

Emergency planning committee (EPC) 

The EPC usually consists of members from the OHS Committee, which are responsible for overseeing on an on-going basis: 

  • The effectiveness and accuracy of the Emergency Management Plan
  • The procedures and relevant emergency documentation
  • The appointment of any available personnel to coordinate an emergency response in the first instance
  • Staff training in emergency preparedness 

Members of the EPC are required to undergo training to ensure they can competently execute their obligations. Specialised EPC training includes the following: 

  • Developing, managing and maintaining an emergency plan
  • The duties of the EPC and ECO
  • The duties of the Emergency Response Team (if applicable)
  • The conduct of site-specific emergency identification and analysis
  • Establishing and managing an ECO
  • The management of appropriate documentation
  • The management and development of assessment activities
  • The development and implementation of training activities including emergency exercise management
  • Emergency mitigation, emergency preparedness and emergency prevention
  • The installed fire safety systems (e.g. sprinkler systems, fire doors, emergency communications)
  • Liaison with Emergency Services 

Emergency control organisation (ECO) 

The ECO must give top priority to the safety of all occupants and visitors of the facility during an emergency. ECO members require specialised training to develop the skills and knowledge necessary to undertake the duties set out in the emergency response procedures.

This training addresses the: 

  • Duties of the ECO
  • Procedures for the specific emergencies
  • Responding to alarms and reports of emergencies
  • Reporting emergencies and initiating the installed emergency warning equipment
  • Communication during emergencies
  • Pre-emergency, emergency and post-emergency activities
  • Occupants and visitors with disabilities
  • Human behaviour during emergencies
  • The use of installed emergency response equipment (e.g. WIP phones)
  • The performance of the building and its installations during a fire or other emergency (e.g. fire doors, emergency lights)
  • Chief wardens, deputy chief wardens & communications officers 

In addition to the general training for all ECO members, those appointed Chief Warden, Deputy Chief Warden and Communications Officer must undergo additional training due to the inherent nature and responsibilities of these roles. This training focuses on: 

  • Their roles and responsibilities
  • Duties of the EPC
  • Decision-making, command and control
  • Record keeping
  • Actions for the specific emergencies
  • Coordination of communication(s) during emergencies, including use of any installed specialised communications equipment
  • Liaison with Emergency Services
  • Coordination of evacuation activities
  • Implementation of post-emergency activities 

First-attack firefighting 

First-attack Firefighting is designed to train personnel to control small, uncomplicated fires using a fire extinguisher, hose-reel or a fire blanket. Where first-attack firefighting by specific occupants is included in the emergency procedures, these occupants shall be trained to enable them to competently execute their duties.

The training for first-attack firefighting shall address the following: 

  • The duties of the ECO, and ERT, where it exists
  • Preparing for site-specific fires
  • Reporting fires
  • Evacuating from endangered areas
  • Identifying, reporting and correcting unsafe conditions
  • Responding to fire emergencies
  • Identifying the classes of fire
  • Selecting the correct first-attack equipment
  • Safe operating procedures for first-attack equipment
  • Determining if it is safe and appropriate to use first-attack equipment
  • Procedures to be followed after first-attack equipment has been used
  • Post evacuation activities 

Skill retention training should be conducted no more than 6 months apart to ensure the ECO can competently execute their duties. While the concept and frequency is not new, the training content and adequacy requirements are greatly expanded. In addition to the delivery of training for the ECO, it is important to incorporate exercises and assessments to allow participants to apply their knowledge and skills in practice. 

Emergency response exercises 

Section 7 of AS 3745-2010 expands on Clause 3.5 of AS 3745-2002, including new wording that permits exercises to be conducted that are relevant to emergencies on the site. The clause also details the roles of observers and the need to keep a record the actions taken.

The concept of an emergency happening during an emergency response exercise is mentioned within the revised standard. The tragic situation where a real emergency is not treated properly when it occurs during an exercise can be avoided by using a code word. The standard suggests ‘No duff’ as the code word. 

Occupants and visitors 

All occupants working at a facility must be trained to ensure they act in accordance with the emergency response procedures, including: 

  • Occupant responsibilities within the facility emergency response procedures.
  • The types of emergencies contained in the emergency plan.
  • How to report emergencies including activation of alarm systems, if installed.
  • Recognising and reporting unsafe conditions, and correcting unsafe conditions when appropriate.
  • The authorities, roles, responsibilities and identification of ECO members.
  • Reacting safely to emergencies and alarms.
  • Evacuation procedures.
  • The location of internal and external staging and assembly areas, as contained in the emergency plan.
  • The location of egress routes.
  • Post-emergency protocols.
  • Procedures for specific emergencies. 

Visitors at the facility should be provided with appropriate information on the emergency response procedures, as determined by the EPC. 

What does this mean for organisations?

These changes mean that to comply with the latest best practice guidelines, building owners / managers /employers will need to: 

  • Establish the EPC & ECO
  • Develop an Emergency Response Plan (ERP), or update their ERP with all the new requirements
  • Train the EPC and have them agree to details recommended for the Emergency Plan such as schedules of training, emergency response procedures, scope and validity period of the document, recruitment and maintenance of the ECO
  • Ensure the ECO training content is aligned with the requirement of the new standard.
  • Ensure the program of emergency response exercises is appropriate.

Once enacted, building owners, managers, employers, employees and visitors will have a better understanding of what to do if an emergency situation occurs.

Posted by jshields | Filed Under News | Comments Off 

‘Black Swans’ and your Supply Chain

April 29, 2011

Written by RiskLogic’s Business Continuity Team

In today’s globalised world, the supply chain of national and international companies is more complex than ever. Ultimately the goal of an efficient supply chain network is to reduce inventory and receive the best inputs at the lowest costs. While companies have a wide selection of suppliers from all over the world to choose from, organisations have never been more dependent on products, information and finances provided from external parties. This dependency exposes the company’s bottom line to an extra layer of risk. 

The financial impact of the global financial crisis and the multitude of recent natural disasters highlight just how unpredictable the availability of supplies can be. Experts in the field of Risk Management will have heard of the so called ‘Black Swan’ * events which are rare but can have a devastating impact on your business. 

Few would have predicted that a major earthquake and a tsunami would hit Japan within a few hours in March this year – a prevalent example of a ‘Black Swan’ event. Japan’s 8.9 magnitude quake and tsunami caused widespread damage and closed down key ports across the country. While some airports shut in the immediate aftermath have reopened, transport and manufacturing infrastructure has been significantly damaged, affecting the production and distribution of many of the world’s products. Supply chain issues continue to worsen as companies are forced to reduce operations within, and outside of, Japan, with factories and manufacturing plants either closed for business or operating at significantly reduced capacity. As reported in the media, the impacts on production and distribution outlets outside of Japan, for companies such as Fuji, Honda and Toyota have been significant. With electronic goods and motor vehicle production outputs reduced by up to 60% from Japan, distributors around the world are experiencing major shortages of supplies and products as a result. This has a major flow on effect to the viability of distribution outlets around the world, with organisations experiencing loss of customers, loss of market share and significant financial and reputational challenges. 

Planning for supply chain disruptions 

Generally, a supply chain is a network of organisations, people, technology, information and resources that contribute to the creation of a particular product or service from a supplier to a customer.  If this network is disrupted, a company can face a variety of strategic, reputational and operational impacts, which threaten the long-term viability of the organisation. This is where Risk Management and particularly Business Continuity Management are crucial. 

Supply Chain Risk Management involves, according to David Honour, editor of Continuity Central, ‘mapping the entire supply chain and its dependencies, identifying, assessing and understanding the various threats and risks, identifying single points of failure’ and subsequently, developing and implementing strategies to mitigate these issues. The aim is to limit the impact to a business if a disruption to the supply chain occurs. It is a continual process where awareness and oversight controls, including the incorporation of Risk Management standards in the supplier contract, are of fundamental importance. 

Accordingly, when drafting supply chain business continuity strategies, considering all internal and external links in the supply chain is of fundamental importance. As is assessing those products (and hence supplies) that are critical to retaining market share as well as revenue. Understanding both supply vulnerabilities and production priorities will enable the development of appropriate continuity strategies. Planning for continuity ultimately involves working collaboratively with suppliers and other key business partners. Below are just a few considerations when developing supply chain business continuity strategies; 

  1. Diversification of transportation systems. Businesses should consider the utilisation of multiple carriers and forms of supply and distribution. Transport infrastructure is often the first to be impacted in a major disruption.
  2. Development of reciprocal agreements for storage space. Warehousing of inventory can be a logistical nightmare for organisations when facilities are inaccessible. Shared agreements, established prior to a disruption, with suppliers, transport providers, customers or competitors can assist.
  3. Relocation of production. Organisations with multiple facilities may be able to relocate production to other sites to ensure continued supply. However, capacity levels must be carefully considered and other product lines may need to be scaled down to accommodate the increase at the alternate facility. Additional production costs, transport costs and lead times will also need to be considered.
  4. Sourcing alternate or substitute products or components. This is not always feasible if specialised components are required or limited suppliers exist, but in many cases a review of critical products/components and alternative supplier options will make a significant difference in your ability to continue production should your main source of supply be unavailable. Lead times are often critical, so establishing pre-existing relationships are recommended prior to a disruption.
  5. Building redundancy for your ERP/inventory management systems. Ensuring access to critical software tools is essential no matter how small or large the disruption. Availability of redundant IT infrastructure, on and offsite data backup and access to databases within business critical timeframes is essential. When the appropriate level of IT redundancy is not available, organisations must consider alternative or manual process workarounds to ensure business continues.
  6. Interruption Insurance. Ensuring the organisation is covered for loss of revenue in the event of a disruption provides a high level of comfort to internal stakeholders. Whilst this does not directly manage the other damaging consequences of a disruption, it does enable an organisation to focus on the strategic response to the disruption without significant short term financial concerns.
  7. Staff management and succession plans. Despite the use of technology, businesses heavily rely on suitably qualified staff to manage all aspects of operations. A significantly traumatic event or disruption can render critical staff unavailable for long periods of time. Ensuring critical roles have been identified and suitable back-up personnel or resources are available is imperative to ensure continued operations. This could include multi-skilling existing staff, use of offsite resources in another location and outsourcing roles, to name a few. On the other hand, not all roles may be critical in the first few days of a significant disruption. It is just as important to know who to send home and who to keep on.
  8. Review of supplier business continuity preparations. Asking to review or receive evidence of a supplier’s business continuity plan will provide a higher degree of confidence that supply will or won’t continue in a disruption. Often as not this will also act as a strong motivator for suppliers to further enhance their preparations. Many large organisations are now insisting on a minimum level of business continuity planning before they will enter into a commercial relationship with potential suppliers. 

On the whole, business continuity requires planning for alternatives in every aspect of the supply chain including backups for key staff, IT disaster recovery and critical suppliers. Business continuity demands innovative problem solving and a thorough analysis of all the components of a supply chain. A silo approach should be avoided at all cost. 

When a disruption occurs an effective Business Continuity Plan will protect an organisation and its stakeholders, minimising downtime and preventing significant reputational, operational, legal and financial costs. While the plan should cover a wide range of contingencies, the problem lies in unforeseen disruptions – plans are often based on past experiences. Few predicted the ‘Black Swan’ events of the terrorist attacks in 2001 and the 2004 Boxing Day Tsunami. Therefore, it is important to collaborate with industry experts, internal stakeholders and supply partners to share knowledge and experiences so you can create a robust Supply Chain Business Continuity Program. 

How resilient is your Supply Chain? Inevitably, the risk grows as our world constantly changes and becomes more complex. While businesses become more interconnected the risk of supply chain failure rises. ‘Black Swans’ occur more frequent than we think. Therefore, an active and successful Supply Chain Risk Management and Business Continuity program is no longer a nice to have, but a commercial necessity. 

*The ‘Black Swan’ Theory was developed by Nassin Nicholas Taleb and refers to unexpected events of large magnitude and consequence 

 

Posted by jshields | Filed Under News | Comments Off 

2012: The End of The World? Probably Not… A look at Solar Flares

April 29, 2011

Written by Alistair Thom, Lead Consultant, Incident Management 

The ancient Mayan calendar has been incorrectly interpreted as foreshadowing the end of the world sometime next year. Hollywood has capitalised on this theory but it has largely been dismissed. 

But before it’s dismissed entirely, there is a small element of truth to the theory.  The earth could be hit with a catastrophic event sometime in the future and the culprit is our sun and its solar flares. 

Solar flares occur when a burst of magnetic energy is released from the surface of the sun.  Coronal mass ejections or CME’s, on the other hand, are large-scale eruptions of plasma and magnetic energy from the sun. 

The occurrence and behaviour of CME’s is less understood than solar flares. For a CME to have the greatest affect on Earth, it has to occur near the centre of the sun on a trajectory towards Earth, be fast and massive with a large amount of kinetic energy and have a strong magnetic field whose polarity is opposite to that of Earth’s. That’s a lot of factors. 

Solar flares, CME’s and plasma might sound like something from a science fiction film but these galactic events can have a major impact on the Earth’s weather and directly affect technology, such as the internet and mobile phones, which every business relies on. 

Both solar flares and CME’s fall into the category of “space weather”. The Earth’s proximity to the sun means its space weather is dominated by the sun. 

Like the Earth, the sun’s currents crisscross its surface, only rather than consisting of water of different temperatures, these currents consist of varying magnetic energy caused by superheated and super charged gases. 

Over the course of 40 to 50 years these currents have accelerated and magnetic activity is predicted to increase. 

The largest solar flares/CME’s from our sun are estimated to have the energy of 100 million atomic blasts but, given our distance from the sun and the natural dispersal outwards of energy, life on earth is quite safe. At least for the next few billion years or so. 

Additionally, scientists tell us that there is no evidence that any of the mass extinction events that have occurred on Earth were due to solar activity.  

While we might be safe, millions of atomic blasts going off at the same time and then heading our way can still cause us some problems mainly through magnetic storms.  

Magnetic storms affect the Earth in a number of ways. The most spectacular is when the magnetic energy form the sun collides with our defence shield, Earths’ own magnetosphere.  This causes intense activity, especially in our polar regions and creates the Aurora Borealis and Aurora Australis, otherwise known as the Northern and Southern Lights respectively.  During the Carrington Event – the largest CME event ever recorded, named after the witnessing astronomer – the auroras where seen all the way to the tropics.  

Abnormal electrical currents, caused by the activity of the magnetic fields, can also affect the Earth. The Carrington Event caused numerous nonsensical messages arrived at telegraph stations around the globe. It was also reported that not only were some wireless operators able to operate their equipment with out having to generate their own power, some were even electrocuted by the strength of the magnetically induced currents. 

How badly can these magnetic storms impact your business? The answer to this depends on a number of things.  

Firstly, there is no model available to predict the volume of solar flares and CME’s with any accuracy other than to say there are going to be more of them with greater energy in the next two to three years than there has been in recent history.  

With that in mind, it’s important to understand what the effects are. Magnetic storms can cause a spike in radio noise (or activity), which can interrupt communication on those wavelengths. 

This can result in a complete radio blackout of various wavelengths.  In 2005, numerous flights had to be diverted from polar flight paths due to the interference caused by a solar flare, which resulted in increased fuel consumption and delayed arrivals. 

As briefly mentioned above, the other significant effect is the production of magnetically induced electrical currents. The first to feel these effects are satellites in space, which can have their functionality disrupted. 

It’s hard to define how much functionality would be lost and the duration of this loss but common consensus suggests there would be substantial functionality loss (if not total) across the majority of exposed satellites. This could last for the duration of the event and would interrupt services such as mobile phones, GPS, television etc.  

Two telecommunication satellites were affected by a solar storm in 1994.  One recovered in a matter of hours while the other took over six months and more than $50 million to be rehabilitated.  In 2003, a GPS system used by the US’ Federal Aviation Authority was disabled for 30 hours, resulting in a major disruption to air traffic. 

Closer to home, magnetically induced currents are going to affect all our electronics at home or in the office, unless they are fully switched off (and not just in hibernation mode).  This means your computer, your mobile, your landline, your TV, your fridge etc could all be disabled temporarily or even permanently.  

On a slightly larger scale, the power grids that criss-cross the globe are highly susceptible to these currents. The longer the power line – the greater the risk.  These power lines are likely to conduct the magnetically induced current to their transformers where the current can melt a crucial component made of copper, bringing the grid down and causing wide spread blackouts.  

This occurred in Quebec’s hydro-electric grid in 1989 where it shut down completely in a matter of minutes of the event occurring and took 9 hours to be brought back on line.  Obviously there are severe implications if the power grid was to shut down completely, not just in terms of business functionality, but from a society point of view. Without power; petrol pumps can’t function, trains can’t run and traffic lights won’t work.  

Imagine potentially dealing with a scenario with no landlines or mobile phones working!  If you track the power supply far enough down the line you can get to a point where your toilet won’t work due to a loss of pressure as the pumping stations lose power at one end and water is incrementally used at the other end. 

The worst case scenario is the impact of a large solar flare/CME could disable our electrical systems and their power supply with obviously severe implications.  So what can we do? 

The first thing to do is to monitor this website, http://www.swpc.noaa.gov/.  This is the website of the US National Weather Service’s Space Weather Prediction Centre.  This website continually feeds information from satellites monitoring the sun and is likely to be the source of the earliest warning available.  It is already used by many airlines to divert their airplanes away from affected areas should a solar flare occur. 

Once you have advance warning, the most current advice for those of us in the “impact zone” is to initiate a pre-emptive and preventative electrical shutdown.  By ensuring servers, computers and phones are powered down during the event it protects them so that they can be used as soon as the power supply is restored.  This might seem a little over the top but a five hour shut down compared to the total loss of your computers and servers, along with all your data back-ups appears to be a price most would pay.  

However, even if we do a pre-emptive shutdown and protect our systems, you can still be affected by those devices that were unable to achieve either a full or even partial shutdown.  This might result in your supply chain, income stream or our delivery mechanisms being disrupted among many other possibilities with obvious threats to the sustainability of your business. 

We need to minimise the impact on your business for the potential outcomes of a large solar flare/CME event ranging from the short term effects of a widespread planned shutdown to the longer term effects from an incomplete or ineffective shut down.  To minimise these impacts, you should consider business continuity strategies.  

This should involve the development of a Business Impact Analysis (BIA). A BIA looks at all the critical elements that make up a business and looks at the dependencies those criticalities have.  Once this has been done, a Threat Assessment is conducted against these critical functions to see how susceptible to disruption or failure they are and what the effect of their collapse would be on the business.  

Once our critical business elements have been identified and analysed, the next step is to develop contingency plans to enhance the recovery of the functionalities should they fail.  

These may include alternate processes or workarounds to lessen the dependency on IT and communications infrastructure should they fail, and alternative communication strategies to ensure appropriate management of stakeholder expectations. Suffice to say, this will be no easy task given today’s reliance on technology. 

There are two time frames that should be considered when developing contingency plans.  

The first time frame is the Recovery Time Objective (RTO).  An RTO is a measure of time for how long you would take to recover that particular functionality in ideal circumstances and this is the time frame that should be aimed at when developing contingency plans.  

The second time frame is the Maximum Tolerable Outage (MTO). An MTO is the maximum time your business can survive with the loss of functionality without severe consequences and is the measure of when that functionality has to be back on-line.  While all this may seem like an onerous task, you can imagine how successful trying to develop contingency plans could be after the power has been cut off when the computers and server don’t work and your mobile phone is for decorative purposes only. 

At some time in the future a powerful solar flare/CME event is likely to happen, which could envelope the earth in a powerful magnetic storm.  This storm would have a considerable effect on our electrical systems and transmission technologies, only we don’t know where, or even when, this will happen.  

The best case scenario is we will have 18 hours warning, at worst we will have virtually none.  To minimise the effects of a solar flare/CME event on your business, it’s important to prepare for a temporary shut down while the magnetic storm occurs and develop contingency plans for the damage it might cause to your business.

Posted by jshields | Filed Under News | Comments Off 

Effective Fatigue Management

January 31, 2011

Written by David Ginpil, Head of Safety & Risk Management.

The increase in 24 hour operations and longer work shifts has highlighted the need for effective fatigue management strategies.   Research has shown that fatigue can have significant impacts on a business including:

  • Reduced productivity (through impaired performance, errors, etc.)
  • Increased accidents (15–20% of accidents in transport operations are related to fatigue, surpassing that of alcohol or drug-related incidents)
  • Increased personnel costs (e.g. lost time, absenteeism)

In addition, fatigue has significant personal costs to employees including contributing to health problems such as gastrointestinal and cardiovascular disorders as well as the disruption of family and social life.

The importance of fatigue management is reflected in the increasing number of legislated requirements and industry guidelines that have appeared both locally and internationally.  Within Australia, regulations governing work and break schedules have been in place for many years within the trucking industry.  Similar regulations or guidelines exist for other industries including rail, oil and gas and mining. 

What is Fatigue?

Fatigue is an acute or ongoing state of tiredness that affects employee performance, safety and health.  Fatigue is cumulative -it builds up, leading to a progressive loss of alertness that ultimately causes the person to fall asleep.

The effects of fatigue include: 

  • Loss of alertness – Loss of alertness is an early sign of fatigue and may include minor memory lapses or difficulty in operating equipment safety.
  • Poor judgment – Fatigue affects the ability to think clearly and to make safety-related decisions.  The problem is compounded by the fact that someone who is very fatigued may underestimate how fatigued they are.
  • Mood change – Fatigued can cause irritability, agitation and the tendency to overreact to issues that arise.
  • Drowsiness – When drowsy, a person may experience “microsleeps’ of   3 to 5 seconds.  This can be critical if operating heavy machinery or travelling at high speeds. Eventually, this drowsiness can lead to the person falling asleep.

Causes of Fatigue

There are several factors that contribute to fatigue.  These include:

Disruption of circadian rhythms

The body has natural or “circadian” rhythms that are repeated approximately every 24 hours.  These rhythms regulate sleeping patterns, body temperature, hormone levels, digestion and many other functions.  When these rhythms become “out of synch’ due to factors such as different sleeping or eating times or even changes in the exposure to light, fatigue can result.  A common example of this is jet lag.

Sleep factors

The amount and quality of sleep is critical to preventing fatigue.   People who do not have enough sleep will incur a ‘sleep debt”.  This sleep debt is cumulative and will continue to build up if there is insufficient sleep.

The quality of the sleep is also important. Poor sleep quality is a common problem for those on shiftwork since it is often difficult to attain restful sleep during the day when it is light outside or if there is considerable noise. 

Health factors

Many health factors and lifestyle choices contribute to fatigue.  For instance, individuals with sleep apenoa (a breathing obstruction during sleep that causes oxygen starvation) do not get enough sleep because they wake frequently during the night.  Other health conditions such as diabetes and obesity can also contribute to fatigue as can alcohol, a poor diet, poor physical fitness and the side effects of some medications.

Work factors

Work factors can be a major contributor to fatigue.  Two common examples are long or excessive hours and inflexible deadlines.

Developing a Fatigue Management Program

When developing a fatigue management program, a risk management approach should be taken that involves the following key steps:

  • Identifying the hazard
  • Assessing the risk
  • Controlling the risks
  • Monitoring the effectiveness of the program

 The application of this approach to fatigue management is shown below: 

Risk Management Steps Application to Fatigue Management
Identify the hazard
  • Identify all jobs that are at risk of excessive fatigue
  • Identify who may be affected
  • Identify the causes of fatigue
Assess the risk
  • Identify the potential consequences of fatigue in the selected jobs
  • Determine the likelihood of an incident
  • Assess the level of risk using a risk rating matrix
Controlling the risks
  • Determine the improvements required to reduce the risk to an acceptable level (see examples of control measures below).
Monitor effectiveness
  • Implement a system for reporting fatigue related problems
  • Monitor any alterations to shift-work schedules and/or work conditions.
  • Periodically review the effectiveness of your control measures and the overall program effectiveness.

Controlling fatigue

Controlling fatigue in the workplace ideally involves a number of different approaches that provide several protective ”barriers”.  This includes:

1.    Ensure adequate staffing levels

As a first step, it is important to ensure that adequate staffing levels have been set in order to enable control over other factors such shift length, amount of overtime and the average time off duty.

2. Shift scheduling

In addition to mandatory limits that may exist for shift lengths and rest periods, optimal shift schedules require consideration of issues such as shift structure (eg. permanent or rotating shifts), shift patterns (eg. fast versus slow rotation of shifts) and rest breaks during and between shifts.  Shift schedules should also account for factors such as the employee’s commuting time to and from work, employees swapping shifts or overtime assignments.  This is best addressed by using fatigue risk models to assess actual (rather than planned) work-rest patterns and to place limits on the number of consecutive working hours or the number of days worked in a row.

3. Employee fatigue training & sleep disorder management

It is also important to educate employees on the causes of fatigue and the ways that they can manage their personal fatigue risk.  This includes coping with shiftwork lifestyle issues and understanding health conditions that may affect the quality of sleep.

4. Workplace environment design

Changes in the workplace can also assist in overcoming reduced alertness caused by out of synch circadian rhythms or inadequate sleep.   Changes in environmental factors such as the lighting intensity, sound levels, temperature and humidity can be helpful in this regard.

5. Alertness monitoring & fitness for duty

A final line of defence is to put measures in place that identify employees who are not suitable for work.  Technologies such as alertness monitors and fitness for duty tests are options that can be considered for this purpose.

By taking a systematic approach to fatigue management, companies can minimise fatigue-related incidents while improving employee well being and ensuring compliance with OHS regulations and best practices.

Posted by jshields | Filed Under News | Comments Off 

Change in Pandemic Phase

January 31, 2011

Written by Mira Lose, Business Continuity Consultant

As of 1 December 2010, the department of Health and Ageing has officially moved its Pandemic Phase from PROTECT to ALERT, signifying the end of the swine flu pandemic in Australia. This development followed the World Health Organisation’s announcement in August 2010 that the H1N1 influenza virus is now in the post-pandemic stage with localised outbreaks of various magnitude likely to continue throughout the world. At the time, the Australian government considered it appropriate to remain in the Protect period, which proved to be reasonable, as the country went on to experience one of its highest peaks of confirmed swine flu cases in the second half of 2010.

As part of Australia’s response to alleviate H1N1 and curb a pandemic outbreak, the government rolled out a free vaccine program in 2009. While the free vaccine is no longer available since 31 December 2010, the virus H1N1 has now been incorporated into the seasonal influenza vaccine for 2011. While the future impact of the virus is impossible to predict, it is expected that H1N1 will continue to circulate as a seasonal influenza strain for years to come. This means that more people will develop immunity to the virus. Nevertheless, actions to generally reduce the risks of influenza infections including hygiene practices and vaccines, should be reinforced and applied throughout work places and at home in order to prevent or at least mitigate the impacts of another influenza pandemic. It is important that businesses continue to prepare and maintain a sound and well-tested Pandemic Management Plan. This plan will provide the organisation with a roadmap of the appropriate response efforts to support employees and minimise operational disruption to the business.

Posted by jshields | Filed Under News | Comments Off 

Talking Risk with Westpac Bank

January 31, 2011

Interview by Grant Davis, Business Continuity Consultant

There is always something we can learn from the experience of others.  To this aim this article is the first of a series of interviews with individuals who we recognise as leaders or influencers in the areas of Risk Management, Business Continuity, Incident Management, OHS and other related fields.  JFK is quoted as saying, “Leadership and learning are indispensable to each other,” and no more so in the field of Risk.

In this first edition of ‘One-on-One’ we speak to Robert Colla, the Head of Risk Analysis and Market Risk Management at Westpac Institutional Bank. Robert has more than 20 years of experience in risk with Westpac in Australia and London, and is widely recognised as a pioneer of risk management in the Australian banking and financial services industry.

In this discussion, Robert emphasises the importance of championing risk within the organisation, driven by the ethos that “risk is everybody’s business.”  He also raises the challenge of managing risk within ever tightening regulatory constraints on one hand, and more complex data systems on the other.  For Robert the way forward is to be able to analyse and report on ‘real-time’ data, whilst using simplified yet robust systems, to monitor risk.

Briefly describe your role: I lead a team responsible for the oversight, analysis and reporting of trading-related risk for the Westpac Institutional Bank and broader Westpac Group. We have a team of people responsible for overall risk management, who deal with the traders (those trading the portfolios of risk) and others who are directly involved in the market in areas like foreign exchange, credit markets, capital markets, treasury and liquidity. We independently assess the market risk exposure in both value-at-risk terms and structurally and provide analysis of that risk for management and regulatory purposes. I am also responsible for Board and regulatory reporting. We provide consultation services to the business to ensure that all levels of risk are understood and managed appropriately. Others within the organisation are responsible for individual transactional valuation whereas my team are responsible for ensuring the frameworks and systems dedicated to Risk Management are developed, maintained and incorporated into the operations of the organisation.

Describe your initial involvement, and progression in Risk Management: My initial involvement was as a Trader, in effect, one of the ‘risk takers’. After a period of time in London in the trading market I became involved in the establishment of the relationship between Risk and market activity for Westpac in Australia (around 15 years ago). In the fledgling days of market risk, we were still developing the relationship between market risk and the objectives of sound risk management. We were tasked with trying to create a cultural linkage and relationship between the risk takers and the risk overseers. A number of market crises through the late 80’s and 90’s led to significant increases in regulatory controls and requirements within the financial services industry. This demanded greater oversight, analysis and understanding of an organisations credit and market risk activities. My experience within the market as a Trader allowed for a greater understanding of the risks associated with those activities, so it was a natural transition into the realm of Risk Management.  

Has the ‘profile’ of risk changed over the years within your organisation: In my experience, the profile of risk has changed dramatically, not only within Westpac and the financial services industry, but within the business community and society in general. People have a greater understanding of the concept of risk, and therefore there is an expectation that risks are appropriately managed. Market events, as well as greater regulatory control, has significantly increased the level of understanding, knowledge and perception of risk and what role it has to play within the Credit and Market activities of the organisation. The growing regulatory environment and the development of risk related systems and technologies have enabled greater increases in our abilities to assess and manage risk. This then allows us to better understand risk as a concept and report and promote it to those not directly involved. Prior to events like the 90’s recession, Asian crises and tech stock crash, the market did not understand the concept of risk at the same level or depth that we do now. There is now a greater textural understanding of risk and its application. I now believe that our risk management activities better allow us to be ahead of the game, and relatively ‘pre-emptive’ of market changes and activities.

How has your organisation adapted to the increased requirements for Organisations and Boards to better manage risk: In the wake of the global financial crisis (GFC), and other high profile economic events, regulators now want to see that Directors and Boards have a detailed understanding of the risks that their organisations are taking. Westpac has adapted to the increases in regulatory requirements through the development of sound risk frameworks, policies and practices. The organisation has a hierarchy of delegation and control that starts with the Board and the Board Risk Management Committee, and filters down through all levels of the business. Our Risk Management Frameworks now ensure greater accountability at the top, and the implementation of those policy statements allow for greater aggregation of overall risk information. The regulators also want to see that there are no gaps between the ‘in-principal’ documentation and the actual risk management practices. Part of my teams’ activities is to report the impacts of various ‘stress tests’ on our business activities. A detailed analysis of the results of those tests are reported and communicated back to the executives and the Board on a regular basis. Greater education and understanding of ‘risk’ and the implementation of solid frameworks across the organisation ensures that we are in a position to better manage risk in line with best practice and our ongoing regulatory requirements.

How widely accepted is Risk Management within your organisation and is there a strong risk ‘Culture’: Westpac has developed a very strong ‘risk culture’. As a financial services institution, our interaction with risk is a big part of ensuring our ongoing financial objectives are achieved for our shareholders and customers. Internally, Westpac maintains a motto that ‘risk is everybody’s business’. We have a very strong risk culture within the areas where risk taking is a direct function of the business, or where it is meaningful on a day-to-day basis (in areas like Foreign Exchange or Capital Markets). Of course, there is always a danger that the risk culture is nothing more than a documented framework which may not actually be effectively implemented. I don’t believe that to be the case with us. Lessons have been learnt from our experiences over many years which have developed a strong risk culture and we maintain good discipline around lending practices and limit structures. Across the organisation, from the Board down, diligent risk management is the expected standard practice.

Have you or your organisation developed or adopted any systems or programs that have assisted in better managing risk: Westpac utilises a number of standard risk measurement and reporting platforms. We have significant infrastructure dedicated to risk management. We have a number of ‘off the shelf’ engines that are applied to our processes. In most cases we have worked with the provider to make modifications to the standard package to ensure they suit our requirements. We have separate platforms for measuring and reporting in all areas like interest rate risk, operational risk, liquidity, market risk and credit. One of the main barriers or constraints to good risk management is the access to and consistency of data. A number of the systems we utilise assist us in the management of our data. Developments in the availability and use of various technology associated with risk management has allowed us to oversee, analyse and report on risk in a much more effective way. The systems and platforms we apply have helped to minimise the need for individual interpretation of data, which greatly improves our efficiency and ability to manage risk.

What are the biggest risks that organisations like your face: As a lender, credit risk will always be our primary risk. Any large organisation such as ours also has significant operational risks inherent in our activities. Part of the regulatory response to the GFC will see more stringent liquidity requirements for financial institutions and that will continue to be a significant risk factor. One of the risks we all face is the systemic risks in the market place. This is an interesting one as these risks are things we can perhaps influence but cannot directly control. The quality of the regulatory changes currently being implemented will be critical in addressing these systemic factors. There is a risk that we get lost in the complexities or that the systems involved become too complicated to be effective. I believe it’s important to maintain the practical textural understanding and depth of knowledge associated with risk.

Is there anything that would help an organisation like yours better manage risk: ‘Real Time’ risk management has always been the ultimate ambition. Increasing our ability to capture, store, analyse and report data in real time would greatly improve the ability to optimise risk management. Continued modification and development of the tools we currently utilise is the likely progression for us in assisting to improve our risk management practices. Like most organisations, as the market evolves there will always be a demand on us to maintain the level of understanding, knowledge and application of risk management practices across the organisation.

Who is your champion of risk: Westpac has always maintained three solid lines of defence regarding risk management. That is, the business unit level, the monitoring and oversight level, and the executive and Board level. Strong leadership and direction has always been maintained at each of those levels. My opinion may relate back to my days as a Trader, but I have always maintained a close interaction with those in the business that are ‘generating the risk’. This has allowed me to maintain a working knowledge of our risks and develop the frameworks and strategies accordingly. The internal championing of risk goes back to our internal motto that ‘risk is everybody’s business’. This is definitely the case with us. There is no one individual that stands out in the risk area. Everybody has a role to play. With significant investment and support in risk from the senior executive and Board, the application of our risk strategy and framework allows us to continually develop and evolve. This will ultimately enhance the stability of the business and assist us in meeting the expectations of our stakeholders.

Posted by jshields | Filed Under News | Comments Off 

Changes in Emergency Standards – AS3745

January 31, 2011

Written by Cheryl Hambly, Emergency Management

There are important changes to Australian Standard 3745; planning for emergencies, that may impact your organisation.

Every organisation is obligated to comply with state-based health & safety legislation and regulations, requiring the provision of a safe workplace for staff and visitors at all times. This extends to the prevention and management of unforeseen and potentially life threatening emergency situations within the workplace.

Australian Standard 3745 has been developed to provide a uniform code for managing emergency procedures and evacuations in the workplace. Adherence to this standard is not compulsory, but is widely recognised as best practice and the benchmark for developing compliant and effective emergency management programs.  

Standards Australia has recently released the 2010 update of AS 3745, which now supersedes AS3745-2002, Planning for emergencies in facilities. There are some significant changes to this standard that may result in additional compliance challenges for organisations, requiring updates or changes to your procedures, maps and training programs. It is strongly recommended that all organisations review their programs, in line with these changes, to ensure full adherence to the revised standard.

The following information outlines significant key differences between AS3745-2002 and AS3745-2010. Please note that this summary is not intended as an overview of all your requirements under AS3745, but merely the key differences between the standards.

Should you require any assistance or further guidance regarding these changes, please do not hesitate to contact us.

Emergency Planning Committee (EPC)

  • Those responsible for a facility or its occupants shall ensure that the EPC has adequate resources to enable the development and implementation of the emergency plan.
  • The EPC is now required to take responsibility for the development, implementation and maintenance of the emergency plan, emergency response procedures and related training
  • EPC should contain at least two members. At least one of these members shall be management. At least one member shall be a competent person.
  • Consistent with the previous standard, EPC shall meet at least annually.

 Indemnity

  • The new standard has removed the explicit exemption from liability for wardens as long as they act in’good faith’.
  • It is now advising that “facility owners, managers, occupiers and employers should obtain professional advice on the level of indemnity provided to EPC (and ECO) members. The EPC and ECO members should be advised of the level of indemnity provided”.
  • It is important to remember that the Australian Standards, at present, are recommendations and guidelines though they are not legally binding unless they are otherwise incorporated into contract or legislation. 
  • Assuming that organisation’s do not have agreements with their wardens that reference back to the Standards, then change in the standards does not necessarily affect the positions of the companies and the wardens.  However, in circumstances where the company is silent on the situation of indemnity and an issue arises, the Standards (and therefore the new definition of indemnity) may be implied as being applicable, particularly if the company otherwise purports to rely on the Standards.
  • The change in AS3745 does not automatically render a fire warden personally liable.  It does, however, give companies the option to allow their fire wardens to become personally liable, an option that was not previously available under the former Standard.  It is for this reason that best practice would suggest that companies expressly indemnify their fire wardens, in order to encourage active volunteer participation without fear of liability.

       This reinforces the need for organisation’s to follow due process and have all encompassing, best-practice, emergency management programs in place.   

Emergency Management Plans 

Structure of the emergency plan

The emergency plan shall include the following additional elements: 

  • Information on the structure and purpose of the EPC.
  • Description of the fire safety and emergency features of the facility.
  • The organisational arrangements for the facility.
  • Separate sections for the following:
    • The emergency identification outcomes.
    • The emergency response procedures (pre-emergency, emergency and post-emergency).
    • The evacuation diagram.
    • Training arrangements.
    • The EPC nominated validity period for the emergency plan.
    • The date of issue or amendment date on each page of the emergency plan. 

 Distribution of emergency plan 

  • Plans should be distributed to members of the EPC.
  • Sufficient information shall be distributed to the members of the ECO members.
  • Sufficient information shall be distributed to the facility occupants to explain their actions to take with regard to an emergency.  

Key elements of emergency plan 

New or changed elements include:  

  • Consideration for communicating with neighboring facilities.
  • The location of the emergency control point (ECP), as well as an alternate ECP to allow for contingencies.
  • Inclusion of information and instructions on the use of any emergency response equipment that is in place in a facility.
  • Outline of various evacuation options – full evacuation, partial evacuation (for aged care, hospitals, etc) and shelter in place (ie lockdown).
  • The characteristics of, and hazards from, external sources shall be considered.
  • Media response – all media statements should be provided, released and authorized by nominated persons.
  • Additional definitions around the considerations for occupants and visitors with a disability, and the need for a personal emergency evacuation plan (PEEP). A sample PEEP is included in the appendices of the standard.
  • Personal effects – occupants and visitors may be asked to take their immediately available personal effects such as handbags, wallets and car keys if it is safe to do so.

      Consideration should be given to the use and suitability and storage arrangements of stairway evacuation devices.

Evacuation Maps 

Standardised colour codes are now incorporated into AS3745. This is consistent with AS4083.

Incident Type Incident Colour Code
Fire/smoke Code Red
Medical Emergency Code Blue
Bomb Threat Code Purple
Infrastructure and other internal emergencies Code Yellow
Personal threat Code Black
External emergency Code Brown
Evacuation Orange

 

 

 

 

Authority of Emergency Control Organisation (ECO) 

  • Authority given to the ECO to act during an emergency must be acknowledged by the facility owners, managers, occupiers and employers as part of the Emergency planning activities.
  • The EPC should ensure that the appropriate people, such as senior management, have been advised of the authority of the ECO during emergencies.

 Training 

  • At least one member of the EPC shall receive training.
  • All training and skills retention activities shall be conducted or supervised by competent person(s).
  • Additional training should be conducted for persons appointed to the positions of chief warden, deputy chief warden and communications officer, and their deputies.
  • Training should be conducted for all new occupants including casual occupants/employees, at the commencement of their duties in a workplace or their occupancy of a building.
  • Occupants should participate in training activities at least annually.
  • Occupants of a facility, who do not work at that facility, should receive training to enable them to act in accordance with the emergency response procedures.
  • Visitors at the facility should be provided with appropriate information on the emergency response procedures, as determined by the EPC.
  • The ECO and occupants shall be supplied with training material appropriate to each person’s role and level of responsibility as determined by the emergency plan. Training materials shall be site specific.

Evacuation Exercises

  • Occupants should be notified before the evacuation exercise takes place.
  • All areas of a facility shall participate in at least one emergency response exercise in each 12-month period.
  • All occupants of the areas involved in the emergency response exercise shall take part, unless the EPC grants a written exemption prior to conducting the emergency response exercise.

       An emergency during an emergency response exercise should be considered, with pre-determined word or phrase being disseminated to all ECO members (eg ‘NO DUFF’).

Bomb Threats 

  • The new standard now includes the acronym HOTUP for identifying an item as suspect (Hidden, Obviously a bomb?, Typical of its environment, Unauthorised access?, perimeter breach?). 

Other Changes

Definitions  

  • The new standard contains additional definitions including assembly area, Class 1a buildings, competent person, emergency mitigation, emergency plan, emergency preparedness, emergency prevention, emergency response exercise, emergency response procedures, emergency response team, evacuation, evacuation diagram, evacuation exercise, facility, facility operational incidents, occupant, occupant warning system, personal emergency evacuation plan (PEEP), refuge, staging area, test, visitor, warden intercommunication point, workplace. 

Abbreviations  

  • The new standard includes a list of abbreviations. 

 Maintenance and review of the emergency plan  

  • Advisors for the emergency planning process should hold recognised qualification/competencies in a relevant discipline. 

Emergency phases  

  • The emergency plans shall include all phases of emergencies – prevention, preparedness, mitigation and response.

Hazard assessments  

  • The new standard provides more guidance in the requirements for identifying and assessing potential emergency events and scenarios. 

Roles and responsibilities  

  • The new standard outlines for each ECO and Emergency Response Team member their pre-emergency roles, response roles, and post-emergency roles.  

First aid identification  

  • The identification for the First Aider is now a white cross on a green background.

Posted by jshields | Filed Under News | Comments Off 

Reviewing the Lessons of the QLD Floods

January 31, 2011

Written by Jodie Wentworth, Senior Consultant – Business Continuity

On Monday 17 January, the Queensland Premier, Anna Bligh, announced a Commission of Inquiry into the floods that devastated approximately 70% of the state, and affected around 60% of the Queensland population1, a disaster that is amounting to be the worst ever to impact Australia.  Ms Bligh declared, “We need to learn the lessons of this event so that we can protect ourselves better in the future.”2

It is only a few weeks since the disaster peaked and already Bligh is looking forward, wanting to harness the immediate experience of emergency response teams, individuals and businesses to understand how the response was managed, and indeed if anything more could have been done to prevent such a devastating and tragic situation.

For those organisations that are still managing the crisis, now is the time to take Anna Bligh’s lead and look back on the experiences of the last month, then look forward. 

Now is the time to capture the thoughts and reactions of crisis teams, staff, customers and suppliers to analyse the lessons that can be learned.  The experiences of the last month, whilst at times stressful and tiring, are unparalleled and unique.  There is so much to learn and there is always room for improvement. 

Conducting a post incident review – the 3 Ws

A post incident review can be undertaken in a number of ways, and will depend on the size and breadth of your organisation.  However an effective, yet simple, process is to ask three questions: What happened?  What went well? What do we need to improve or change?  Answering these questions can be achieved by a number of different approaches:

  • Workshops and Interviews with key groups.  It is vital that those who had direct involvement in the management and implementation of the response and recovery are involved in facilitated workshops, where possible, or interviewed on a one-to-one basis.  Facilitating a workshop with teams such as the Crisis Management Team, will enable an in-depth analysis of all aspects of the response, and will also create long term buy-in to the Business Continuity process if it isn’t already there.
  • Staff debrief.  Feedback can be gained from staff via team based discussions – perhaps a team meeting dedicated to discussing the experience and the perception of staff.  Alternatively, questionnaires can be a useful way of receiving feedback from staff who may not otherwise express their views.  Experience shows us that feedback from staff is critical.  The perception of staff can highlight where communications may not have worked, and can expose weaknesses, and applaud strengths, in leadership and direction. 
  • Supplier Review. Establish dialogue with your suppliers.  What difficulties did they face and how did that impact your organisation?  Review the Service Level Agreements and indeed your expectations of your suppliers and discuss with them areas that need to be further improved. 
  • Understand the customer impact.  Speak to those staff who are customer-facing.  What feedback did they receive during the disruption and what issues did your customers face? 

Whilst key themes for improvement will have emerged throughout the disruption, specific areas that should be included in a review are:

  • Communications. Given the external and internal feedback you will have received during and after the disruption, consider the communications strategy you applied, as well as the media and messages you used.  What additional tools did you require?  Did your IT and Telecommunications infrastructure support your efforts?
  • Infrastructure.  In a disaster of this scale, it is inevitable that there were challenges in continuing IT and telecommunications services.  The substantial ingress of water, and disconnection of power will have proved challenging for some organisations.  Review the capability of your infrastructure and any recovery efforts.  Were your recovery plans and solutions sufficient?  What did the IT downtime cost your organisation, either by direct financial losses, or as impacts to reputation and customer service?  
  • Crisis Team.  Did you have a designated crisis team and how did it perform?  Staff and recovery teams will have feedback, as will the crisis team itself.  Consider the roles and responsibilities of the team members – were they filled adequately?  Were there sufficient tools to support decision making?  Did team members feel capable of the task at hand?  A difficult question to ask, but it is vital that each crisis team member considers their own response to the disruption, and the tools and support they need for the future.
  • Business Continuity Plan and processes.  For many organisations, this will have been the first time they have used their plan in anger.  Was it adequate in providing guidance and support to the Crisis Team as well as the disrupted departments?  Consider not only the content, but also the structure and usability of the document. Review the processes you followed to implement your recovery solution such as activating alternate arrangements, and critical business functions.  Did you achieve your recovery time objectives? 

Implementing the improvements

The output of the review must be action based, with clearly assigned responsibilities and timeframes for completion.  Ensure all participants, and the organisation in general, are informed of the lessons and can see that there is commitment to implementing changes where they are required.  Ensuring the actions that were identified are implemented is a key challenge for any Business Continuity Manager.  As the organisation returns to ‘normal’ and the day-to-day demands return, the focus of senior managers as well staff will change.  It is important that the crisis management team takes ownership of the outputs of the review and commits to ensuring all the actions are implemented.

Learning from others

Whilst the many affected Queenslanders are faced with the daunting task of cleaning up, as well as the long term recovery of infrastructure, businesses, homes, and tourism, those of us not directly affected, can take this opportunity to learn from their experiences, and to reflect on the preparations in place for our own personal situation, and that of our business.

How would your organisation cope with an event such as the Queensland floods?  Would your business continuity plan, your training and testing, prepare you for managing a disaster with such widespread and unpredictable consequences?  Anna Bligh mentioned in one of her press conferences that it had been said that if a scenario of the magnitude of Queensland’s floods had been suggested as an exercise, some people would have said, “That will never happen.”

From a fundamental level there is one significant lesson to be learnt – and that is, it does happen.  We cannot be complacent in our consideration of the risks we face, nor in our efforts to implement a valid and workable business continuity plan.  Now is the time to ask ourselves, if this was us could we manage our business through such a disruption? 

***

RiskLogic recognises the importance of the experiences of those who have been responding to the floods throughout Queensland, and are speaking with our partners and clients affected by the event to understand the lessons from their response.

Should you require assistance in conducting a post incident review or would like to have any assessment of the plans you currently have in place, please contact us at info@risklogic.com.au.

1 – Queensland Government Press release Monday January 17 2011

2 – Queensland Government Transcript press Conference – 2.15pm Monday 17 Jan

Posted by jshields | Filed Under News | Comments Off 

The Human Aspects of a Crisis – RiskLogic presentation

October 12, 2010

Recently in September 2010, Jodie Wentworth attended the Continuity Forum Business Continuity Conference and Expo in Melbourne and delivered the presentation; “The Human Aspects of a Crisis.” Jodie drew on her time working with London Underground to explore how people’s reactions and subsequent behaviours can be disruptive to an organisation’s recovery effort, if the personal aspects of a crisis have not been considered during the planning phase.

Many factors can contribute to how an individual might behave during a crisis. And each individual is different. We should acknowledge that managing people on a day to day basis can be challenging because of these differences and will be even more so during a crisis. Jodie explored how basic human needs influence how an individual responds. Generally people need to: feel safe; have a sense of belonging; and feel valued1. A disruption to the workplace can disrupt these fundamental needs and thus create stress, and in some cases, trauma.

Given we are all different, and on any day we might respond to change and stress differently, what can we do to minimise these impacts?

  • Get an understanding of how the organisation will respond to the impacts of a crisis – use the BIA, exercises and tests and employee feed-back to gauge the organisation’s culture and resilience to disruptions.
  • Ensure policies are in place (and communicated) to respond to people issues during a crisis, such as:
    • Working from and staying at home – what is expected of an employee?
    • Will the organisation continue to pay contract and temporary staff if they are sent home, and not required to work for a period of time
    • How will the organisation respond to issues around the loss of staff personal possessions? Is there a policy in place in regards to the type of personal possessions that staff bring to work?
    • How will the organisation respond to staff injury or death? Who will manage the process at the time of the disruption?
    • Manage expectations by taking the time to inform people of the plan, their roles and responsibilities.
  • Provide opportunities for staff to build familiarity of the Business Continuity plan and solution (i.e. attend the alternate site).
  • Establish internal mechanisms for monitoring and managing people issues. Harness existing team structures to provide support networks. Train managers how to identify and deal with their own, and their team member’s, stress. Don’t just provide outsources counselling services – remember that everyone is different, and therefore one solution doesn’t suit all.
  • Motivate staff to build their own resilience such as having all their contact numbers with them, and making sure they have house keys and money with them should they be evacuated immediately.

Without taking into account the Humans Aspects of a Crisis:

  • People’s ability to perform under pressure may be jeopardised
  • The task of managing a crisis will become significantly more challenging
  • The potential to create long term employee dissatisfaction will increase
  • The ability to respond and recover will be affected.

Posted by jshields | Filed Under News | Comments Off 

« Previous PageNext Page »

  • CONNECT - INNOVATE - DELIVER

Copyright 2012 Risklogic Pty Ltd

Head Office: Suite 204, 272 Pacific Hwy Crows Nest NSW 2065. Phone: 1300 731 138. Email: info@risklogic.com.au
Copyright 2009 Risklogic Pty Ltd