Issue No. 3
August 2016
YOU’RE INVITED! GALA DINNER EVENT - SYDNEY, 8 SEPTEMBER 2016
The 2016 Annual BCI Australasian Awards recognise the outstanding contribution of business continuity professionals, and organisations living in or operating in Australia, New Guinea, New Zealand, New Caledonia, Lombok, Sulawesi Eastward, Borneo and Bali. All winners from the Australasian Awards will be automatically entered into the 2016 Global Awards that take place in November in London. This year the awards evening will be a formal dinner event held at the Museum of Contemporary Art (MCA) in Sydney. The luxurious Harbour Room and terrace venue is located on the MCA rooftop and provides an uninterrupted view across Sydney Harbour, the Opera House and the city skyline. With its breath-taking views this stylish venue is one of the most desirable event locations in Sydney. The event will include pre-dinner drinks on the terrace, entertainment and dance floor. The 2016 Award categories are: Continuity and Resilience Consultant 2016, Continuity and Resilience Professional (Private Sector) 2016, Continuity and Resilience Professional (Private Sector) 2016, Most Effective Recovery 2016, Continuity and Resilience Newcomer 2016, Continuity and Resilience Team 2016, Continuity and Resilience Provider (Service/Product) 2016, Continuity and Resilience Innovation 2016, Continuity and Resilience Personality 2016. Unfortunately entries have closed for nominations but you’re welcome to come along and see who takes out the top prizes! When: Thursday 8 September 2016, commencing 7.00pm
Where: Museum of Contemporary Art (MCA), 140 George Street, The Rocks Event registration: [Click Here] or go to events.thebci.org.au Dress: Lounge Suit Cost: BCI Statutory Members are free (thanks to our sponsors) Affiliates and Corporate Affiliates: $75.00 per person
Guests of Statutory or Affiliate Members: $75.00 per person (limit of 1 guest per member) Sponsor guests > their allocated 10 or members guests: $100.00 per person
1
About this Publication Continuity & Resilience Australasia Magazine is a publication of the Australasian BCI Chapter. The magazine is published three times per year and is an excellent source for all things Business Continuity and Resilience related. Articles include thought leadership pieces, case study presentations, discussion papers, top tips, upcoming events and professional advice on a wide range of business continuity topics designed to keep you in the loop as well and get you thinking.
In this edition August 2016 6
4
7
9
12
14
Continuity & Resilience Australasia Business Continuity Institute Australasia L33, 264 George Street Sydney NSW 2001 Corporate Service Manager & Editor: Lisa Riordan The views expressed in this magazine are not
03
Letter from the President
04
EQ - The Key Ingredient for a Successful BC Practitioner & Organisational Resilience Development
06
Harnessing Risk for Business Continuity
information provided in this publication. All
07
The Road a Little Less Travelled
original content in this magazine is protected by
09
Business Cyber-attack Plan
copyright and cannot be used, reprinted,
11
Wellington Expo Update
12
Business Continuity & the Changing Face of Terror
14
Forget about Cyber-security, What about Human Bio-security
16
BCI Education Month
has secured copyright and/or obtained permission
17
Upcoming Training Schedule
to publish the materials.
18
Forum Focus - BCI Queensland
Coloured “Continuity Band� Logo created by Joel
19
Standards
Foffani for enquires please email
20
Gartner Security & Risk Management Summit 2016
necessarily those of the Business Continuity
Institute Australasia. All efforts have been taken to ensure the accuracy of information published. The publisher accepts no responsibility for any inaccuracies or error and omission in the
distributed, or republished for any commercial use without prior written consent. Continuity and Resilience Australasia Magazine is only responsible for the copyright of original material published in this newsletter. In the case of materials submitted by members it is assumed that the original source
joelfoffani@gmail.com
The BCI Australasia wish to thank its members and sponsors who contributed to this edition of
Continuity & Resilience Australasia If you would like to contribute, have feedback or have ideas for our future editions please contact us via email info@thebci.org.au 2
Letter from the President Well, doesn’t time fly! It’s interesting that we spend so much time developing strategies and plans for loss of buildings, loss of people, loss of technology etc., but not for the biggest risk of all – loss of time! If only, eh? Then we’d be popular if we could solve that one!
Amazingly, we are already 2/3rds of the way through this year, with many organisations already planning their programs and activities for 2017. But there’s still a lot of life left in 2016, and lots of important events and activities to come. As can be seen from the front page of this edition, its BCI Awards season – with September 8th the most important date in the annual calendar for BC and Resilience professionals and associated organisations across Australasia! The Awards provide the vehicle and an opportunity for anyone associated with Business Continuity or Resilience, either as a practitioner, a consultant or an organisation that provides products or services to the industry, to be recognised and honoured as best in class. And with automatic entry of winners into the BCI Global Awards, there’s an excellent opportunity for global recognition and exposure. Just ask the ATO BCM team or Linus Revive, both who were inducted into the BCI Global Awards Hall of Fame in 2015 – Australasia really does hold its own on the global stage. I do hope you got your entries in – if you didn’t, then start preparing for 2017! And that still doesn’t stop you from attending the Gala Dinner and Awards presentations at the MCA – it will be a fabulous night and your support of the industry and the finalists on the night will be very much appreciated. This is the 3rd Edition of C&RA, and I feel confident you will see how this eMag is maturing and developing. Since the first edition less than a year ago as a replacement for the old Continuity Forum “Continuity News” magazine, the content of C&RA has almost doubled, and the quality of articles being submitted by members and other stakeholders is proving to be of a very high calibre. This edition sees an article on Cyber-attacks and the importance of understanding its potential impacts – a very topical piece - as well as an article by David Thompson AMBCI reminding us that BCM is about more than one thing at a time, so forget about just Cyber! What an interesting discipline this is! Eugene Taylor FBCI also provides an article reiterating a lot of what was discussed at the Summit earlier in the year – that other “soft” skills are just as important as the hard technical skills we use daily to perform our specialist roles. Like BC and Resilience itself, it is important that the continuity and resilience practitioner has holistic and well-rounded capabilities. Speaking of which, September is Education Month, so watch out for some special offers from our Training Partners! As a final note, I would just like to remind all BCI Members, regardless of your membership level, that there are lots and lots of activities, events and opportunities available to you, not just locally in the Australasian region, but globally. From attending Forum meetings and participating in both the learning proposition and the networking arranged in each local area, the Awards and the Summit on a regional basis, to writing articles for either C&RA or the global Continuity magazine and accessing some great resources available in the Member Only area of the BCI website, there really is a myriad of benefits for you to leverage. Don’t be shy, get involved and get the most from your membership of the global peak body for BC and Resilience professionals! Howard Kenny FBCI MAICD President & Chair BCI Australasia 3
E Q
THE KEY FOR A SUCCESSFUL BUSINESS CONTINUITY PRACTITIONER & ORGANISATIONAL RESILIENCE DEVELOPMENT
Eugene Taylor FBCI
Life in the Business Continuity and Resilience profession clearly does not plateau. In fact the demanding need for rounded professionals is now far more intense. This article will look at Emotional Intelligence (EQ) and how you can use it in conjunction with training to improve skills & develop new ones to make you a better business continuity professional. We spend a considerable amount of time and resources on "technical training" in our professional lives. In terms of Business Continuity there is the Business Continuity Institute's CBCI course focussing on accepted good practice, there are also other training options including ISO22301 Management System Lead Implementer, ISO22301 Management System Lead Auditor, Business Impact Analysis, Crisis Management, Contingency planning, Project Management and a host of others which Business Continuity professionals are encouraged to undertake to build their overall competencies.
The objective of “technical training” is to understand training short-falls and the development opportunities, aligning objectives and requirements to meet conformity to require skills and competency evaluations. Regretfully, very few evaluations require a measurement of Emotional Intelligence (EQ) - often consciously ignoring the importance - more from a lack of understanding than anything else.
So what is Emotional Intelligence (EQ)? There are generally 7 domains of intelligence - summarised below;
Linguistic
(Language - speaking, writing, etc.)
Logical or Mathematical
(Einstein had lots of that)
Spatial
(See things and move them in your head)
Musical
(Repetition and discipline)
Bodily or Kinaesthetic
(Natural hand-eye co-ordination)
Intrapersonal
(Communication with one's self)
Interpersonal
(Communication with other people)
The last two (combined) make up Emotional Intelligence (EQ), which is a "learned ability to identify, experience and express human emotions in healthy and productive ways".
4
So how can we use EQ in Business Continuity? EQ is not meant to be measured against "old standards" such as general intelligence and experience, and has little to do with what is taught in schools and universities. Instead, EQ takes into account personal qualities like: interpersonal awareness, empathy, drive strength, motivation, adaptability, persistence and the willingness to do whatever needs to be done to finish the job. EQ is the single most important variable influencing personal achievement, career success, leadership and life satisfaction. It consists of specific skills, behaviours and attitudes that can be learned, applied and modelled by individuals to improve self worth, achievement and career effectiveness. There are many EQ evidence-based assessment tools which provide comprehensive EQ-scoring, data-tracking, complex interpretations and subsequent identification of training needs additionally promoting practical solutions to develop these skills. Some are complex to use and others very easy (the hard work being done for you), but please complete thorough research when looking to go down this route. Good emotions can be learned and EQ development is essential for developing resilience.
EQ significantly plays an important part in "protecting" people and the bottom line and tangibly enhances the resilience capabilities of an organisation Business Continuity professionals passionately explore and utilise data for adopting and maturing Business Continuity capabilities within organisations. Typically, it takes the form of "x% of companies who did not have a Business Continuity Management System closed following a major impact" - and so on. There is, however a dimension of Big Data which should encourage executives who love efficiency savings, focus on the "bottom line" and promote an ideal (and resilient) work force. Big Data is forcing proactive executives to sit up and take note.
Here is a glimpse of some reported (and reliable) insights: Over 30% of hiring managers place increased emphasis on EQ in their hiring/promotion decisions
71% of managers say EQ is more important than IQ
34% higher profit growth in firms with high-EQ managers
63% less turnover of people because of staff selected on high-EQ
50% reduction in lost time accidents as a result of EQ development and training
Significant increase beyond goals in plant productivity as a result of EQ training
If the above data is to be believed, then recognition of an individual's EQ and subsequent development might be considered more vital than "technical training". Well it is certainly food for thought isn’t it? Have you ever completed an EQ assessment on yourself or has one been completed on your organisation? Is EQ training something you have seen in business continuity/ organisational resilience programs before? Should organisational resilience programs include EQ training? Certainly a worthwhile consideration don’t you think?
About the Author Eugene Taylor FBCI is an accomplished professional amongst global leaders driving the focus on organisational resilience. His articles convert complicated and voluminous references into layman's terms. Eugene's articles are aimed to clear the myths, encourage debate and suggest possible approaches which businesses, discipline specialists and compliance professionals might adopt.
5
Harnessing Risk for Business Continuity Michael Lee, RSA APJ Security Evangelist
As organisations become increasingly more innovative, the drive for performance places business continuity at risk, encountering issues they've never seen before, or necessarily know how to handle. Such is the price of being a pioneer, but rather than staying rooted to the safety of the past, businesses can still innovate and be more competitive if they understand how to manage risk. To do this, organisations need a systematic process for defining and comprehensively categorizing sources of cyber risk, a new accounting of key stakeholders and risk owners, and a new way to calculate cyber risk appetite. Do you need to tackle risk in a more formalised way? An easy way to determine is to ask yourself a few questions:  To what extent do you believe your organisation has
a clear understanding of its exposure to cyber risk?  Does the organisation view cyber risk beyond the
headline grabbing data breaches and security threats?  At what point does your organisation escalate cyber
events (breaches, disruptions, etc.) to the most significant level? These kinds of questions can help you assess your organisation's risk maturity and put in place a proper process.
First, define what risk is. Cyber risk encompasses a wider range of events that lead to potential of loss or harm related to technical infrastructure of the use of technology within an organisation. However, cyber risk events could be the result of deliberately malicious attacks, such as an attack by hackers, or unintentional, such as user error that makes a system unavailable. Second, take a comprehensive inventory of these cyber risks and quantify their potential impact. This means asking the right questions, such as what losses would be catastrophic, and what information absolutely cannot fall into the wrong hands or be made public. Finally, prioritize the risk according to impact. Mission and business-critical systems should be ranked ahead of facets like core infrastructure to ensure a return to normal business, rather than spending critical time on issues that could be addressed later. As a starting point, Deloitte Advisory Risk Services, together with security organisation RSA, have jointly developed a framework based on these principles which gives organisations a way to not only factor cyber risk into their overall risk appetite, but to also define the level of cyber risk they are willing to accept in the context of their overall business strategy. By taking a risk-based approach to threats to business continuity, organisations will have the ability to quantify cyber risks, make informed decisions about their overall cyber risk appetite, and put them in a position to succeed. 6
The work went on throughout 2014 under a Divisional BCM Manger covering analysis, design, implementation and their first validation in May 2014. Throughout 2015 and 2016 BCM became more embedded into the organisation, with annual review activities to reassess the threats and impact on The Mission in the event of a significant disruption (technology failure, natural disaster or pandemic event) complimented with an exercise program developed by NAB and continued education on the discipline.
In late 2013, a team at NAB were looking for a volunteer opportunity where they could make a difference, when they happened upon Sacred Heart Mission. Every day of the year, Sacred Heart Mission assists hundreds of people who are homeless or living in poverty to find shelter, food, care and support effectively assisting the most disadvantaged members of our community to rebuild their lives. Since opening their doors in 1982, The Mission, a Victorian based community service organisation, focused on addressing the issues of homelessness, social isolation and disadvantage. The NAB team found that this cause ticked all the boxes for their employees and started a partnership with them.
To ensure NAB’s involvement with The Mission could be sustained NAB provided the opportunity for any employee to volunteer over the journey.
“It was quite clear everyone who volunteered had an instilled set of values to act and strong beliefs about the importance of helping others and giving back to society.” – Dale Cochrane (NAB)
Around the same time, The Mission needed to meet the new government funding eligibility criteria that was coming into force in 2014 requiring an organisationwide Business Continuity Plan. This was a unique chance for Business Continuity experts to use their skills for something a little different to the office environment, by provide support and guidance and develop a process to work through the six stages of the BCM lifecycle.
With an organisation like The Mission you know they are committed to making a sustainable difference in people’s lives, and in a small way NAB could be part of that journey. With NAB’s help, The Mission now has a toolkit including Risk Assessment, BIA template, BCP template, Exercise scenarios and reports, to help them apply BCM to ensure they can come through a significant disruption and continue to be around into the future.
“Some of my team developed strong leadership capabilities, while others enjoyed the chance to innovate and apply their skills in a different environment.” - Martin Biggins (NAB)
7
Key learning’s
Commitment at an executive level is a must - an organisation and governance essential prerequisite for developing a successful programme; A single point of contact on both sides of the project is necessary - appointing of one or more persons to be responsible for business continuity with the appropriate authority for the implementation and maintenance of the programme; Tap into the volunteer base both skilled and unskilled - adequate staffing must be made available for successful operation; Ensure the overall process is sustainable - the BCM Programme is an ongoing process and needs to be actively managed with the long-term goal of the BCM programme to improve organisational resilience. This joint piece of work now gives The Mission a BCM framework for building a resilience to safeguard the interests of stakeholders, reputation, brand and value creating activities, for their critical processes and services.
Volunteers involved across the journey benefited from taking on different roles from facilitators, exercise observer and report writing, with some having skills in BCM while others were getting involved for the first time in educating and supporting The Mission on the discipline. “NAB volunteers have saved us over $80,000. That's a lot of meals for people seeking our support!” – Catherine Harris (The Mission) Over the last 4 years The Mission has estimated if it engaged an external consultant to perform this support, they would have conservatively been charged circa $80,000 to establish their BCM Program and an additional $11,000 year on year, a significant cost for a not-for-profit organisation. Whilst all this work is great, the true test is to see if it could perform in a disruption. Unfortunately, in 2015 one of The Missions plans was activated in anger due to electricity running through the water supply of one of their shared client accommodation buildings. Due to the embedding of the BCM program, and the annual validation exercises clients were all accounted for, documented alternate accommodation was successfully activated and at the resolution of the incident all clients could be rehoused with negligible impact on The Mission.
DALE COCHRANE AMBCI Dale Cochrane is a Business Continuity professional who has worked in financial services for 22 years and additionally the not-for-profit sector for the last 4 years. Dale holds an AMBCI, in 2014 and 2015 he was a finalist in the BCI Australasia Awards, in 2015 completed his DBCI and in 2016 holds the positions of a BCI Victoria/Tasmania forum committee member.
This level of skilled/unskilled volunteering adds to their organisation and NAB. At the end of 2015, NAB employees completed over 700 volunteering days at The Mission or $281,382 in salaries across multiple activities including BCM.
Would you like to contribute an article to Continuity & Resilience Australasia? If you do, please send an email to info@thebci.org.au
In addition to the personal development, shared values of the volunteers and financial savings, The Mission’s relationship and ongoing partnership with NAB BCM is really the first of its kind and the only one we know of that’s working so well. 8
Business Cyber-attack Plan Business Continuity Planning has traditionally focussed on site outages. Storms, floods, power failures, fires have been the typical scenarios. But over recent years, the scenarios an organisation should test have changed.  The communication methods used as part of a
Business continuity is dealing with outage and attack
scenarios that are far less visible than the past.
BCP, and information that makes up the BCP
Off-site cloud based systems, DDOS attacks, and
may not be available - from anywhere. For
ransomware are all changing the way business
example, a DDOS attack may impact phones,
continuity is viewed and the role it plays. The
email and messaging across all sites.
traditional bricks and mortar, site failure scenario, is
The testing regime may also differ. A site based
no longer the sole focus for business continuity
failover test is not necessarily a valid test for a
planning. And while the likelihood of a site outage has
cyber-attack, given that a production site and a DR
been relatively low, many organisations are now at a
site may be simultaneously affected. It is far more
higher risk of a cyber-attack. How does the Business
likely that a table-top walkthrough will be used,
Continuity Plan to address this?
given the impracticality of simulating a cyber-attack.
There are a number of ways a business disruption
Testing scenarios may also need to be more specific.
from a cyber-attack differs from a site outage:
For example, a ransomware scenario will have far
 It may be technology based, rather than site
different impact to a DDOS attack. So it may be
based, and may cross multiple sites, including the
necessary to perform different walkthroughs
DR site
depending on the cyber risks an organisation is most susceptible to.
 The initial response may be far more focussed on
limiting further damage, than it is to begin Continued over the page
recovery. 9
Regardless of cyber-attack or site outage, some things remain the same: Decisions will need to be made. And those decisions will need
senior decision makers, and a way of bringing them together quickly. Regardless of the cause, a crisis management team will still need to make significant decisions on behalf of the
organisation. Communications will be required to all major stakeholders. The
methods used to perform the communications may need to
Business Continuity Quotes “A business continuity planner is more powerful than all the king's horses and all the king's men, because with a plan in place we can put Humpty Dumpty back together again!” Doug Rezner
change under a cyber-attack, and the methods used should be
~
evaluated as part of planning. But effective communications is
“Court disaster long enough and it will accept your proposal” Mason Cooley
always a key component of the continuity plan. Benefits of practice continuity and crisis management pay
dividends in an actual event regardless of the scenarios used. A robust Business Continuity test that includes cyber-attack is an ideal way to ensure risks are recognised, and understood, and mitigations in place. It will require technical expertise to both build the test scenario, and to recognise the technical impact, and business involvement to recognise the business impact. But the benefits are a greater awareness and ability to manage the risk of cyber-attacks; scenarios that are almost certain to occur.
~ “A good plan today is better than a perfect plan tomorrow” George Patton, 1885-1945
~ “I have found that in battle, plans are useless, planning however is indispensable” Dwight D. Eisenhower
~ “In a crisis you will not rise to your (stakeholders) expectations, but fall to your level of preparedness how prepared are you?” Wayne Harrop
David Buerckner GM Internal IT INTERACTIVE
10
WELLINGTON EXPO UPDATE Well another Business Continuity Awareness Week has come and gone. I hope your efforts have brought some success! In Wellington, in addition to the usual members meetings, we again ran a public expo for BCAW. This year we ramped things up. In 2015 it was just the BCI exhibiting but this year we invited a number of vendors involved in the Business Continuity industry to join the BCI at the expo.
Glen Redstall, Peter Davies, Amanda Scott
Plan-B, RiskLogic, WREMO, joined us on-site and Solity, BCPL, Resultex and Critchlow had a presence with banners and brochures.
The weather was not kind to us for the first two days of the three day event. Whilst we were indoors at the Asteron Centre, many people were more interested in just getting into their dry, warm offices. On the Friday the weather improved and the number of people visiting us went up proportionally. To create greater awareness of and visitation to the expo we created a ‘Guest Pass’ which was distributed to all BCI members for them to redistribute to those that they wanted to have greater awareness of BCM. The ‘Guest Pass’ had a prize draw associated with it. First prize, which was sponsored by Solity, was a "Get Away Kit" bag. This was won by Peter Davies from NEC. Second prize from the BCI Wellington Forum was a “BCM for Dummies” book and it was won by Cara Gordon, Ministry of Civil Defence and Emergency Management. Plan-B also ran a prize draw for those who visited their stand. First Aid Kits where won by; Margaret Thomson and Kirsty Bennett from IRD and Pradeep Navalkar, MBIE. With the number of people involved in this year’s expo we learnt some interesting things. As a result we are now looking forward to some possible improvements including changes in delivery the type of some of the deliverables for 2017. Steve Streefkerk, Cara Gordon, Glen Redstall
The Wellington Forum Management Committee would like to thank the Asteron Centre Owners the exhibitors, those members who manned the stands and everyone who visited us for making another successful BCAW Expo. Remember BCAW should not be primarily for our own edification but for the enlightenment of those who need to know about BCM. So I encourage to start thinking about and planning what you are going for the 2017 BCAW. If you would like to know more please contact me at david.thompson@thebci.org.nz DAVID THOMPSON Wellington Forum Team
Glen Redstall, Pradeep Navalkar, Margaret Thomson &Ken McWilliams 11
Business Continuity and the changing face of terror Dynamiq Founder and Director of Strategy, Anthony Moorhouse
Dynamiq Founder and Director of Strategy, Anthony Moorhouse
The aftermath of the Nice terror attack. Image: Sasha Goldsmith, Daily Mail.
The role of police and anti-terrorism units in thwarting terror attacks has always been a difficult job. Their job has become even more problematic as terrorist groups have devised new ways to create “weapons of mass destruction.” On September 11, 2001 we saw what would be the start of modern terrorism when a coordinated group of highly trained terrorists hijacked commercial aircraft and turned them into weapons. In Mumbai, Bali, and Paris terrorists stuck again but with more conventional weapons. The tools used were simple yet deadly explosives and small arms, but the planning was still complex, the result mass casualties and worldwide panic. With the rise of ISIS, attacks are occurring all too often. But ISIS has also given rise to another form of attack, the ‘lone wolf’ assault. This attack is characterised by the use of unsophisticated weapons, but without a highly coordinated team carrying out the attack. The introduction of such attacks, marked with allegiance to various terror groups, has made the jobs of law enforcement, security, and risk managers that much harder. In many situations, these attacks may not be able to be foreseen or prevented so a well-exercised emergency response plan is vital. Attacks such as on the nightclub in Orlando was not planned by a command team or higher authority. It was simply undertaken by a lone wolf who used his attack for notoriety, pledging allegiance to ISIS in the midst of carrying out his violence. He still used military-style weapons and masses of ammunition in a traditional hostage or mass shooting situation. The recent attack in Nice, France, carried out by a lone wolf actor using a garden variety truck rather than any form of weapon designed for killing, is both particularly shocking and representative of yet another evolution in terrorist tactics. In many ways, the blunt force trauma caused by a speeding truck was worse than a large, sophisticated explosive device. Risk, Security and Continuity Managers, can’t be there to keep your people safe every second of the day. However, it’s part of your duty of care obligation to understand the risks faced by your people while they are overseas for work and mitigate those risks appropriately.
Organisations need to scan the horizon for new risks and threats, and this new form of terror attack should definitely be on the radar. In addition to crisis and emergency management plans, there needs to be systems in place to ensure your business can continue operations after a crisis occurs. Dynamiq develops and reviews Business Continuity plans for major organisations around the world. As a part of our sponsorship of Business Continuity Institute (BCI), Dynamiq is offering a complimentary Business Continuity Health Check to BCI members. 12
The Business Continuity Health Check is a review of your organisation’s Business Continuity Management System. We provide feedback on your organisation’s business continuity maturity level, identify areas for improvement and provide a roadmap for development. The health check is conducted by a Dynamiq consultant through face-toface meetings. Each meeting involves 21 questions across 8 areas of the Business Continuity Management System. As an essential component of any resilience program, it’s vitally important to ensure that your business continuity planning reflects reality and relevancy. Topics include: The Organisation and its context, Scope of the BCMS, Business Continuity Management (BCM) Policy, Business Impact Analysis (BIA), Business Continuity Response and Recovery Plans, Incident communications and warnings, Training, Exercising and Tests, Monitoring, Measurement and Evaluation Following the meetings, recommendations are discussed and presented in a report. The results from the health check are mapped by sector, providing a visual guide to areas of strength and areas for improvement. To book or discuss a free Business Continuity Health Check, please contact Jason Gotch at Jason.gotch@dynamiq.com.au or on +61 (0) 2 9154 2609.
13
Forget about cyber-security, what about human bio-Security? Cyber-Security currently sits at the top, or near the top of any list on risks that the modern organisation faces. However there is another risk that raises its head at this time every year - that is colds and flu’s.
Especially in the winter these illnesses can seriously impact an organisation’s productivity, yet this human biosecurity risk is one which the majority of people, managers and organisations pay little attention to and thereby underestimate the risk to their operations due to the loss of staff. The New Zealand Government’s Wellness in the Workplace survey reports that influenza-like illnesses are worse than just bad colds, and account for 45% of illness days for unvaccinated people each winter. This means that sick leave absences cost New Zealand more than six million work days throughout 2014 - an average 4.7 days for each employee - at a cost of $1.4 billion. In a pandemic our plans often state that we will get people to stay at home when they become ill. Yet when it comes to the common cold and seasonal influenza organisations let their staff come and go as they please. So, if we are prepared to manage people in a pandemic situation, why are we so reluctant to manage people in the “cold & flu season”? Should we consider, in conjunction with our Human Resource teams, creating a process that more comprehensively manages people who turn up at work when they are ill, and if so what does this mean? Implementing or improving and empowering a “Stay Home” policy The most effective way to protect your business against the spreading of bacterial and viral infections is to encourage sick staff to take time off. This may seem contrary, but these infections can be highly contagious one person taking a day or two of sick leave will help prevent passing it on to other employees, so that those other employees who then would need time off to recover as well. We need to strongly present the following argument: “You might feel guilty for not going to work when you are ill and fear everything will grind to halt if you’re not on deck. It’s time for a rethink: By going to work you infect others thereby disrupting work more than you just taking the time off to get well. If you don’t feel you can take time off, can you work from home while contagious.” Vaccinate against influenza Vaccinations are a vital part of the overall strategy for protecting your staff and reducing the working time lost to illness. Therefore organisations must consider paying for their staff to be vaccinated, either through their medical centre or organise a group vaccination session at the workplace.
Encourage good health habits Healthier people are less likely to get sick. Therefore we should be encouraging our staff to:
Wash hands: Encourage staff to wash and dry their hands often to stop bugs spreading. Sneezing & coughing protocols: Understand the correct way to cough or sneeze to reduce the spread of germs. 14
Keep fit: Fitter people get sick less often. Think about staff health challenges, like fun runs and social sports teams.
Eat well: Encourage staff to eat healthily at work to give their immune systems a boost. Think about having a communal fruit bowl and offering snacks like nuts over chips at work drinks.
Get outside: Exposure to sun for even short periods every day boosts vitamin D levels, an important nutrient for immunity. If you’re office-based, encourage lunchtime walks in the sun. Sick leave rules Sick leave relies on a good faith relationship. An employer must be confident an employee is sick, while employees need to know they’ll be supported to get well. Therefore organisations should review their leave policies including:
Carrying over unused sick leave to the next year. Letting employees use sick leave to care for a spouse, partner, child, elderly parent or other dependent. Paying staff their normal pay for days they’re on sick leave. Allowing sick leave in advance. Ability to access annual leave. Using unpaid leave. Requirements for proof of illness.
By actively managing our staff through a period such as the winter cold and flu season organisations have the opportunity to:
Maintain or increase their productivity during this time, Give greater protection to their staff from illness, Improve the health of our organisations overall.
DAVID THOMPSON
So let’s take charge of managing the health of our people and organisations.
Wellington Forum Team
Click on the advertisement above to be taken to the white paper plus info 15
What is Education Month? Education Month is about reflecting on your professional development within business continuity and resilience. It is about understanding the necessity to keep up-to-date with the changes happening in your industry, to then learn and move with these changes and developments. Education Month takes places each September.
Who is it for? Education Month is for everybody! The theme for this year is Lifelong Learning, this encapsulates the need to always be looking to improve your knowledge and understanding no matter what stage of your career. For newer professionals to the industry there is always so much to learn, but is it also important for more experienced professionals to keep updated with new terminology, new processes, new technology and new threats facing organizations.
How can I get involved? This is the easy bit. There are so many ways for you to improve and update your knowledge, you can attend an event or seminar, read a report, join a webinar, take a certification or training course, join a mentoring programme, write a paper, present at a conference, network … the list is endless. It is up to each individual to assess their personal needs and preferences. To help, the BCI will be providing discounts and webinars throughout September.
Self-study
Formal Learning
50% off Good Practice Guidelines 50% off CBCI Exam Mock Questions 30% off BCI How to Guides … Free BCI Training DVD’s – Practice makes Perfect / How to do a BIA Free BCI Research Reports Free e-Learning Module One – What is business continuity
10% off BCI Diploma 10% off CBCI Online Training Course 50% off e-Learning – Building Resilience 20% off selected Training Partner courses 20% off Corporate e-Learning licence
Professional Activity Join a webinar. The BCI will be running a series of free webinars throughout September. Attend a conference or seminar. BCI currently has two events you may wish to attend - BCI World (London) and BCI Africa Conference (Johannesburg). There are also many BCI chapter and forums events. BCI members can sign up to the Mentoring Programme. This is a great opportunity to learn from experienced professionals and make new contacts. BCI members can join the CPD programme and document your learning, this is also a pre-requisite to upgrading to some BCI membership grades.
16
UPCOMING TRAINNG SCHEDULE The BCI is pleased to work in partnership with the organisations outlined below. Good Practice Guidelines Training Course (CBCI) - RiskLogic From August 16, 2016 09:00 until August 19, 2016 12:00 At New Zealand, Christchurch Incident Response and Crisis Management - RiskWest From August 25, 2016 09:00 until August 26, 2016 17:00 At Australia, Perth Incident Response and Crisis Management - Riskwest From September 08, 2016 09:00 until September 09, 2016 17:00 At Australia, Sydney Good Practice Guidelines Training Course (CBCI) JBT Global Corporate Advisory From September 12, 2016 09:00 until September 16, 2016 17:00 At Australia, Melbourne Good Practice Guidelines Training Course (CBCI) JBT Global Corporate Advisory From October 10, 2016 09:00 until October 14, 2016 17:00 At Australia, Brisbane Good Practice Guidelines Training Course (CBCI) - RiskLogic From October 18, 2016 09:00 until October 21, 2016 12:00 At Australia, Sydney BCI ISO 22301 Lead Auditor Training - in Partnership with ICOR - ANSI Accredited JBT Global Corporate Advisory From October 24, 2016 09:00 until October 28, 2016 17:00. At Australia, Sydney
Good Practice Guidelines Training Course (CBCI) JBT Global Corporate Advisory From November 07, 2016 09:00 until November 11, 2016 17:00 At Australia, Canberra Good Practice Guidelines Training Course (CBCI) JBT Global Corporate Advisory From November 21, 2016 09:00 until November 25, 2016 17:00 At Australia, Sydney Good Practice Guidelines Training Course (CBCI) - RiskLogic From November 22, 2016 09:00 until November 25, 2016 12:00 At Australia, Melbourne Incident Response and Crisis Management - Riskwest From November 22, 2016 09:00 until November 23, 2016 17:00 At Australia, Melbourne Good Practice Guidelines Training Course (CBCI Certification) - Riskwest From December 01, 2016 09:00 until December 06, 2016 17:00 At Australia, Perth Good Practice Guidelines Training Course (CBCI) JBT Global Corporate Advisory From December 05, 2016 09:00 until December 09, 2016 17:00 At New Zealand, Wellington
17
Special Interest Group in the Spot- BCI Queensland light Andrew Darby (MBCI) & the Queensland Forum Team
Spe-
ITSCM
The Queensland BCI Forum has seen a real renaissance over the past 12 months, with renewed interest and increased attendance at scheduled events. Key changes to the format have resulted from a review of current Forum practices, a fresh approach, and the establishment of a dedicated and enthusiastic member subcommittee. The expansion of the Forum Team to include the sub-committee has been instrumental in reducing the onus on the Forum Leader and Secretary to do the lion’s share of the work. It has also allowed an increased focus by the team on meeting member expectations with regards networking opportunities and presentations relating to current industry best practices. There has been a noticeable increase in the number of registrations for scheduled events when compared to previous recent years. Presentation topics have included: surviving a Tsunami; a guided tour of Interactives DR site and BC recovery centre; a technical talk from RSA on cyber threats; a Crisis Management workshop; and a summary of the BCI Summit in May. The Forum has more interesting and varied sessions planned for this calendar year. Unfortunately, due to an interstate move at short notice, Andrew Darby has had to relinquish his role as Forum Leader. An excellent replacement in Glen Edwards has been appointed. Glen was on the Organising sub-committee, and has agreed to step up to fill Andrew’s rather large shoes! Glen will continue to develop and work within the new operating model, in consultation with Paul Trebilcock, the BCI Qld Area Director, the Forum Secretary and the organising sub-committee. The Qld membership extends its sincere thanks and appreciation to Andrew for his dedication and commitment to the Forum over many years, and especially for stepping into the Forum Leader role last year. Andrew would also like to thank and recognise the efforts of all the Qld Forum volunteers, including Glen Edwards, Ian Martin, Nerrida Graham, Lisa Cameron de Vries, Sheena Downey, Adele Finch, Lyn Richards, Lisa Sos, Clint Seagrave, Marty Stewart, Steve Power, as well as all the members and their guests who have attended recent Forum events. This renaissance and reinvigoration of a BCI Forum is clear indication of what can be achieved when a group of like-minded committed individuals come together, and work together, for a common purpose. The BCI has always been an organisation built on volunteer activity, and has grown into the global peak body for BC and Resilience professionals as a result. The Queensland team have shown what can be done, in a relatively short time, and are proud of their mighty achievements – as they well should be! And with this new model of leveraging an enhanced team with an enlarged membership, there are plenty of opportunities for any BCI member to participate at whatever level they feel comfortable with. To find out contact details for your Area Director and your local Forum Leader, check out the BCI Australasia web site under Australasian Area Forums. 18
By Saul Midler FBCI Planning is well underway for the next key activity on the standards calendar. The third International Standards Organisation (ISO) Symposium will be held in Edinburgh, Scotland from the 5th to the 9th of September. There are six working groups, each with many work activities (streams) plus a number of additional work activities. The following list represents the key BCM and BCM related work activities: ISO DIS 22316 – Organizational Resilience, ISO WD 22320 - Crisis Management, ISO TS 22330 - People Aspects of BCM, ISO TS 22331 - Strategy Development of BCM, BCM for Small, Medium Sized Enterprises (SMEs), Sector specific guidance on BCM. Unfortunately, most of these work activities will run in parallel, but fortunately, the Australian delegation is large enough to provide enough coverage to make sure the Australian voice is heard. My specific areas of interest are: ISO 22331 - Strategy Development of BCM, ISO 22330 - People Aspects of BCM, and BCM for SMEs. Hopefully the agenda will allow me to devote quality time to each of these three work items. On the Australian front, Howard Kenny and I attended a joint working group meeting with the Risk Management Technical Committee and authors of AS5050. We've agreed on the way forward, with the objective of allowing Australia to adopt ISO 223XX by amending AS5050.
Upcoming Events - Forum Activities & Events in Your Area WA Area Forum Meeting
18 Aug
Gartner Security & Risk
22-23 Aug Brisbane Area Forum Meeting 18 Oct
Auckland Forum Event
24 Aug
Auckland Forum Event
19 Oct
BCI Australasian Awards
8 Sep
Wellington Forum Meeting
16 Nov
Wellington Forum
14 Sep
Brisbane Area Forum Meeting 16 Nov
VIC/TAS Forum Meeting
15 Sep
WA Area Forum Meeting
17 Nov
NSW Area Forum Meeting 20 Sep
Auckland Forum Event
23 Nov
Auckland Forum Event
VIC/TAS
24 Nov
21 Sep
Wellington Forum Meeting
To view all upcoming events go to http://events.thebci.org.au 19
12 Oct
SPECIAL DISCOUNT OFFER AVAILABLE TO BCI MEMBERS
Special Discount Offer for BCI Members!
20