Tuesday, 21 June 2016

Building Fortresses with Andrew Lawton- Interview

From very early history to modern times, walls have been a necessity for many cities. Protecting your livelihood and practising your defences was, and still is essential . We may not put walls up around all our lives and business in the literal sense, but what will you do to protect your business under threat? 

Build your Fortress of course! Inspiration is everywhere, and this time I welcome

Andrew Lawton to RISKercize

With international experiences in an array of fields including  risk management, Information Security & Compliance, Andrew is paving the way in Building Fortresses with that personal touch and reminding us what really makes recovery a success. People!  Read, enjoy and be inspired.

Your first job?
My very first job was actually picking potatoes which paid surprisingly well for a 16 year old. It was a summer job in Devon and I went on to work in an ice-cream factory helping to make choc ices.

I never used my degree in Microbiology but went straight into sales, selling insurance. It was definitely not the most glamorous of jobs but certainly gave me a good grounding in hard work that has stood me in good stead ever since.

What does Business Continuity mean you?
To me, Business Continuity planning is basic good practice that every responsible company director should ensure is undertaken for their business. Even outside of regulated industries it is an essential process of risk reduction and mitigation.

Your most memorable BC/DR situation that you were involved in?
My most memorable moment was when I was in the final stages of negotiation with a well known telecommunications equipment manufacturer aiming to implement a business continuity service for their Sun Microsystems server. 

I had dropped off the contract with the company and the Finance Director (they did not have CFOs in those days) had taken the contract home with him and was going to sign it over the weekend. 

That Friday evening at 7:01pm the IRA set off an enormous truck bomb at South Quay station, just a couple of hundred yards from their office, opening their building up like a tin can.

Your inspiration to start your own recovery site?
Much has changed in the business continuity market in the past 20 years. 

Now many organisations look to cloud services, either public or private, to provide their disaster recovery provision for their IT. There are now many providers delivering good DRaaS and Managed Services and I felt that I wanted to partner in this area rather than compete.

What you cannot put into the cloud of course is people and so there is still a requirement for work area recovery (WAR).

The size of WAR requirements has reduced due to the greater flexibility that staff have these days to work from home. This has taken the size of WAR contracts below the radar for the bigger global business continuity service providers who are focusing as businesses on Managed Services, Colo or DRaaS.

However, I am finding that there is still a core of approximately 10% of a company that needs to work together to be efficient, make faster and more effective decisions and to speed up communication. This is even more the case at the time of a disaster.

Although the number of work area positions needed by companies has reduced and the values have correspondingly reduced businesses still want to feel that they are valued and important customers and that their service provider is flexible and attentive.

So it is into this market that I am going to be opening the new recovery centre, to answer this need. 

 How will this be different to other recovery sites in the market?
The recovery centre in itself will be remarkably similar to others in the market. It will be newer of course and have the latest tech.

The difference from Fortress will be in the delivery of that service and the value that is wrapped around it.

What I have found is that many of those with BC responsibility in mid-tier businesses have BC as only a part of their role. As a result they are looking for someone to come in and take the problem away, to help them address their organisation’s needs as quickly and effectively as possible.

To this end, we have reviewed the aligned vendors in the BC space and evaluated those that are most relevant to our key customers. These include vendors providing DRaaS, Cloud Backup, Crisis Communications, Crisis Transport and Business Continuity Consultancy services.

We will provide our customers with our research and they, if they have the need, will be able to incorporate the services from these vendors into the one service agreement with Fortress. The aim is to deliver a complete business continuity solution from one source.

Fortress customers will also receive a free Crisis Management and Business Continuity Workshop for their executives to review and understand their current position, where they need to get to and how to get to that point. The aim is to instil an understanding of the risks and potential mitigations at board level and to gain buy in across the organisation for the business continuity plans thereby raising its profile.

 Expected Live Date?
The site is expected to go live at the end of October. 

Advice for anyone else who wants to start their own business?
The key to starting your own business is really understanding your market and validating your opinion against the opinions of others. Listen particularly hard to those people who do not agree with your point of view to understand why they think that way.

Get a good mentor, someone that has built a business before, preferably in the same market. Take their advice.

And when you have clear plans, understand the market have validated that your customers are real and really want to buy from you - go for it. 

RISKercizing until next time..

Sunday, 25 October 2015

Therapy for BIA Addicts

I think BIA addicts need therapy! There, I said it!

I always knew this area was somewhat of a task and often or not the scenarios one would hear would be;

1. We don't want any BIA's, just write the plan;
2. Someone did a BIA 3 years ago but we don't really follow it; and, the BEST one I heard recently
3. We do BIA's three times a quarter and have been for the last year!

THREE times!!??! So BC plan owners were called BIA owners, and instead of going through the BC life cycle the company was stuck. Stuck doing the same thing like a broken cassette player we used to listen to back in the eighties. It started off with best intentions to familiarise staff with the process however , somewhere in between the rest of the BC planning was forgotten. What was left? Annoyed stakeholders , obviously! 

I touched on therapy for BIA addicts in my pod cast interview which you can listen to here.

Alas, after recovering from the thought of making the business conduct BIA's so many times , which has literally been giving me nightmares,it is essential that any BC person starting off in this industry realises that whilst BIA's are essential, to fully understand whether the BC capability is effective, the full life cycle needs to be conducted. Refinements should be a natural ongoing progress, The BIA addicts in some may say that this is ridiculous but BIA need not be perfect, Without going past the analysis stage, how can you know if what you are inputting is feasible? What was happening in this case was that the distinction between BIA and BCP's were lost. It became BIA planning rather than BC planning. 

So , my question to you all out there is where do you draw the line on updating and start implementing? How many times is too many times? 

Stay tuned for more BIA therapy.

                                                  RISKercizing until next time..

Thursday, 20 August 2015

Digital Public Surveillance in a Disaster..

When I was partaking in Exercise City Survival, A “pilot” training course aimed at individuals who are interested in understanding the terrorist "intelligence" we were tasked with exercise on Terrorist and Counter Surveillance activities and were then sent out to prominent locations within London to engage in specific solution based tasks, culminating in stopping a terrorist incident. In this instance I was a suspect and had a group follow me and a fellow volunteer around the streets of London. 

The activities and counter surveillance took a whole day, and even at the end if may have been difficult to catch us as suspects especially if we had known we were being followed. Just now I was reading an article on what we have learned in terms of disaster management in the 10 years after Hurricane Katrina. This bit below got me into flash back mode.

“When a tornado and flash flood recently hit Wise County, a small rural area northwest of Fort Worth, digital volunteers were able to gather street addresses, photographs from the ground, and up-to-the-minute information on county roads where damage had occurred. This information was given to disaster response teams before the first relief truck even rolled in. It saved hours of work for field responders, making for a more effective response operation,” wrote McGovern. See full details here   

Throughout the day, as we were being surveyed as the threats , and wondering the hot spots of London, we got chatting about how students would be the perfect people to help in counter surveying without being noticed.  In this digital day and age, young people who are constantly on their phone is common, it is normal to have teenagers sitting around in café’s on laptops and phones, and no one would suspect a thing. That compared to a middle aged woman/man handing around on their own still seems somewhat ‘dodgy’. Especially if you notice someone following you around the whole day.  

As we were grouped and conjured up a story on how to look legitimate in case anyone asked, I mean, why would two twenty something’s be wondering the streets of London‘s sites in the middle of the day.? Ok , so maybe that’s normal for London as there are so many people, but realistically, hanging around train stations and scoping out where security cameras were , as part of our role play would have been somewhat worrying to some people. (We nearly came close to an incident and our team being arrested if it wasn’t for the lovely undercover police who were part of the exercise protecting us)

As I digress, I want to highlight that particular example of digital volunteers, because now it is essential. Information is available in so many forms, and what better way than the public to help. I found out in a case of surveillance, the police would work with 30 plus people to be dotted around to avoid being caught. This is taxing, especially when the public can help.

 As a Londoner, one has to appreciate the numerous tweets on public transport for example. There was a time I jumped on and off 6 trains, thanks to various tweets Londoner’s had put out regarding various train failures. I was desperate to get to Hove to surprise my fiancé. (It didn’t end up being a surprise when it took me half a day to get to him, but it was the thought that counts along with the help of all this information!)

Digital public surveillance in a disaster is absolutely essential, it saves time, and we should all be contributing to it and should be considered as part of all contingency planning. Time is of essence in a disaster. Fact!  Tweet about it!

RISKercizing until next time..

Monday, 15 June 2015

Art for Art Sake – Building Resiliency & Planning

As a committee member for BANG, (A group for People interested in business continuity and organizational resilience) our event on the 27th May 2015 welcomed Russ Timpson, the founder and CEO of Horizonscan Ltd.

He talked about art treasure recoveries; a type of planning I had never considered, but since the talk, it has played on my mind and sparked a curiosity in this area.

As fires & floods are a major risk to all types of buildings which contain irreplaceable artwork, books and artefacts, what are the techniques and proven processes to reduce that risk? Russ delivered a great presentation and below are some highlights with some additional thoughts.

What got us thinking about this?  

Clandon Park, a grade 1 listed building near Guildford Surrey was a prime example of probably little planning. Paintings were thrown onto the lawn in attempts to recover as much as possible without knowledge of which were high value and how to retrieve these. It was an essential lesson that highlighted the need for pre-planning and investment in recovery procedures.
Much of the art and treasures in buildings contain history and it is difficult to put a price on invaluable items that come with years of heritage.

Recovering art work in galleries: Business Continuity Planning (BCP)
For museums and galleries, the BCP might include a list of exhibits in order of importance, and have a dedicated recovery team available to evacuate those exhibits to a safe location in the event of an incident. But, before this can be done, we need to ask ourselves a few questions.

1     Know what you’ve got.
First is defining what we actually want an irreplaceable asset is. It is priceless items? Knowing what you have is a starter, and knowing if this can be insured is also essential. There is a need to create, asset registers, (this is vital for any business) pick lists, resources, have plans and layouts, access route, know the limitations of the building you are in. In terms of art recovery, maps could be for internal use to enable those nominated to move items. All this requires the need to work in hand with security people and health and safety to carry out appropriate risk assessments.

2       Risk Management What’s your Risk Appetite?

Now you have identified what you've got, manage the risks. There are various ways this can be done and examples include, distributing your assets, move or protect (find a suitable place), containment (fire doors) and diversion (if water is coming down the building channel it out of the windows.) All of these need horizontal and vertical planning pre planning.

All these things, ought to be considered through a risk management process which includes the assessment of likelihood of an incident that would trigger an evacuation of such art works/treasures etc.

It is important to note that full evacuations of national treasures/art works etc. may not be practical or necessary (unless of war were declared). Colour coding high value items /paintings may be a good strategy to adopt. This of course may be subject to easy theft amongst many issues but more importantly would require working very closely with the local emergency services and agreeing mutually beneficial plans.

The key thing to remember is to:

3      Liase, Plan & Practice
Who are the stakeholders?  It is important to confirm expectations: At Windsor Castle, a whole army came to recover all the books. This is not very good use of government resources and hours can be spent recovering essentially low value items. A planned response ought to be preferred.

Plan, Check, Plan Check: Are responders competent, has training been given, plan and check and continue until this is refined. The presentation rounded off with a closing question we ought to consider.

The ladder questionIs it reasonable to ask someone to get up on a ladder and try and salvage a painting? This should be our sanity check where varying factors are considered such as age, fitness and also if it indeed is practical.

Whilst being curious, I came across an Art Loss Register (hyperlinked), Check it out!

This month, we have a whole day city survival exercise planned with an evening event on personal Survival. Do come along if you are around central London in the evening, it’s free.  Click here

RISKercizing until next time..

Friday, 29 May 2015

Coffee & Crisis

An insight into Starbucks Crisis Management
Whilst treating myself to a post afternoon caffeine fix, (according to my partner, buying coffee everyday isn’t a treat. I guess he is right, but I digress), this famous white Starbucks cup and green siren got me thinking about a webinar I attended on Starbucks and Crisis Management. Two of my favourite topics, Coffee & Crisis, got me inspired to share with you all that I had learnt.

Starbucks is not just a drink product we see on the cups. I was surprised to learn that they have their own café bakery ‘La Boylange’, Seattle’s best coffee, Evolution Fresh Juicery , Teavana and of course, Tazo tea.  But wait, before it starts getting off onto a sales pitch (which this is not) , nor do I particularly have an undying love for Starbucks, it’s just fascinating that I had never stopped to think about the wider remit of this company.

 Starbucks is not just a retail outlet, but also owners of multiple manufacturing facilities like bakeries, juice etc. across the world. They sell products in grocery stores from coffee beans, to Tazo teas, to natural energy drinks and also have an Austria and Switzerland based train car and cruise ships.

In terms of Risks , what are they? (After all, we are RISKercizing)
  • With  presence in over 66 Countries  ,naturally the green siren becomes a target  for any incident;
  • Multiple manufacturing facilities (bakeries, juice, food etc.) poses risk of food compliance associated across the world;
  • Starbucks is not just a product, service, retail, manufacturing but it’s also known as the ‘third place’. This means besides home and work, it is noted to be the third place to relax in various social settings.  (It is also the best place for online first dates). Because of this, the safety risk is paramount. This is why critical communication is essential. (e.g. In incidents such as a fire/bomb)
Interesting fact: During Hurricane Sandy, Starbucks closed doors for safety, people congregated outside and took advantage of their Wi-Fi to stay connected and find out what was going on.

Starbucks and Crisis Management
Crisis management/disaster recovery – and enterprise Business Continuity means they respond, recover, and restore operations, manufacturing, supply chain and support functions across brands and across the globe. (wow!) Having a resilient and robust tool and Crisis Management, especially a mass communication tool would help the blur the lines between key operational stakeholders.
For example: This would be to ensure teams falling in between financial, info security incidents , info system incident, media social events, retail incidents , QA food safety, physical security , food and defence, global supply chain disruptions, geological, metrological events, and criminal incidents are aware each other exist.

There is no single path that we find out about incidents/crisis event. The question is how this information is validated and quickly assessed as assets should be in different countries.  The webinar went on to speak about Starbucks’s emergency mass communication tool which inspired me to blog about it. I had never realised the true extent of how systems really help manage great communication risks across global products and supply chain. It is absolutely better than trying to do all this manually. To put this into context, such a system would enable monitoring of:
  • Regional emergency alerts such as weather, civil unrest, earthquake or wind fire incidents
  • Facility emergency alert- directs evacuation or shelter place orders. Running ovens to roast coffee beans have risks and the need for alerts to help manage this is essential.
  • Quality assurance alerts, directs emergency recalls or process change which enables to recall faulty goods
  • Partner accountability to gain validation that someone received the notification. 
All this would help manage and control risks!

A challenge : Hourly based employees like baristas do not have Starbucks emails and have to go  onto the intranet, log on and set it up to find  out if there is any incident.  How did Starbucks resolve this?
  • Communication would be on both  internal system and customer public ones so reliance on logging into the system is not the only method; and also
  • All stores have individual IP addresses that tie it into notification system so quicker communications can be received. E.g. partners know a storm is coming and put in the necessary controls in place to manage that incident.  This means all relevant parties are notified.
What is your order please?
Next time you are ordering, think back to this post, have a look at the retail store you are in, observe the communication methods, machinery etc. and think about what if something failed. Coffee & Crisis will certainly never look the same!
For now, I’ll have an Grande Extra Hot Skinny Cappuccino Please.

RISKercizing until next time..

Friday, 24 April 2015

Food Fraud : Horsemeat!

Remember the Horsemeat scandal? I blogged about it way back then. Check it out below


Today, a coordination centre run by Eurojust and led by the French Desk succeeded in stopping an organised criminal network involved in trade in illegal horsemeat.

Check out the full article here.


Interesting fact : between 2010 and 2013, 4 700 horses unfit for human consumption were slaughtered and introduced into the legal food chain.

RISKercizing until next time..

Wednesday, 1 April 2015

London Rush Hour Chaos: Where was your Business Continuity Plan?

Is it not slightly eerie that before a holiday/festive season we are hit with some sort of Chaos. (Think back to the ever so common extreme snow shutting down airports/flight delays etc  just before Christmas at the most.)

Today London was hit by chaos of a huge underground fire  in Holborn. Probably one of the most stressful stations of commuter traffic with mass office evacuations and major safety concerns.

2,000 people at least evacuated outside, I came home and was greeted by an excited flatmate who told me how the chaos unravelled to which I excitedly (and possibly on work mode) started quizzing her about what the companies BCP was, what was their incident response like? What about calling cascades?

As it turned out, it was a bit of a mess!! Luckily she had some idea of the importance of BC planning. The Scene went something along the lines of this: 

Two evacuations and experience of seeing windows filled with black smoke , freezing in the cold a group of people (as I presume a quite a few may have been) were  having discussions about  what they would do and how they are gong to communicate in this incident
  • One person says they will email everyone an update , but how would they do that as all the laptops were in the office said another;
  • Next mentioned the contractors and people who had their laptops stuck in the building so even if the person sent an email over a work phone not everyone would get it;
  • 'Oh, yes, never thought of that'. Someone else mentions, and the conversations continue. 
  • What's our BCP? asks another;
  • What is that???
In-between all the what if's and blank stares of what a Business Continuity Plan was, and a Calling Cascade/Tree and sudden realisation on who has to call whom, it was quickly established who the key person was in 'running the show'.

Meanwhile, the CEO of this particular company, was at home, (probably having a French lesson) with no clue what was happening and if his staff were safe. 

I reminded my flatmate that sometimes in times like this, the CEO may not be the best person to manage a BC incident, this would be a good time to observe who the 'go to' person was who was managing this, and that the CEO would be there for support of major decisions, and obviously there to take accountability for the safety of his staff, whilst realistically delegating that responsibility to a competent trusted person. 

Everyone was sent home, and then told to come in as normal tomorrow unless contacted. Despite not having a proper plan, it was evident the incident was so far managed, however, it just goes to show that what was once seemed as an unrealistic scenario,  actually has become a common thing. It reminds me of a time a Head of department laughed when I talked of our building catching on fire. 

You all know what I will be doing first thing tomorrow morning? Sending this link out and saying: This could happen to us; Where is our BCP? Where was yours? 

Read more about the details of what happened earlier today via the below link:

RISKercizing until next time..

p.s. london's spirit and the power of social media in communicating in an incident is just outstanding. stay safe. 

Friday, 30 January 2015

Making your BC Exercises relatable

Every second article I have read says it’s not about the scenario but the actions therein.
True, but what happens when you are trying to engage a whole department into Business Continuity Planning, finally get there and get meetings agreed to exercise the plans and the scenarios just don’t relate?
I conducted a few exercises giving out the usual fire, flood, telephone scenario and even a case of winning the lotto. At first quite a few said, “Oh that’s never going to happen anyway”. Sometimes you can’t win them all and no matter how much you try some people just don’t want to buy in. That is ok.  If they are willing to accept the risks then they are willing to accept the consequences.
Since I have been involved with Business Continuity (almost 1 year) I don’t re-call going to an exercise where it wasn’t cancelled.  (I have a pretty good handle on this now after being ‘rejected’ for an exercise 5 times.) I expect it and it is mainly because people are slightly anxious about what is needed.
I have had Heads of Department look almost anxious at the thought of me coming in to ‘test’ them.  It reminds me of school days where I had to take exams and dreaded it because I didn’t understand the subject. The same principle applies. You get told to do the plan, and then you do it, don’t really get why, then when you test it, that eureka moment occurs. (Hopefully)
Making a silo based organisation (there is always going to be silos) come together to focus on better resiliency and business continuity is a challenge. The phrase WIIFM has never been more applicable than at this time. I decided it was time to scrap generic scenarios, take a more ‘hands on’ approach and focus it around what each department did. I spoke their language and combined it with mine.
Example: I did a desktop/walkthrough for a department who primarily focuses on large fundraising events. What was going to gauge them more, a fire scenario in the office away from their event or a scenario related to an upcoming event which has the capacity to generate an income of more than £50k?
The Scenario: A special event is happening tonight and will raise £50K. Card payment readers are locked in the office, but it has been established that the building has been closed due to another flood (using something that happened recently).
What are the options? Is there a backup? How will you get donations from people who want to pay by card, how will the BCP help decide what to do?  I then went to build on from that scenario.
The Result: Realisation that something like this actually happened in the past and the bank they would ring had refused card readers. Various options were discussed, paper slips could be used and as the scenario developed it turned out that for the most part a lot of the contingencies were in place. They just hadn’t realised that this would be a BC event. The feedback was positive and further tweaks to the BCP were required. The head of department had said it was a good example and would use it in their team meetings to raise awareness for the rest of their staff, especially as this has never been considered before.
Success I’d say!
Better to have the business continuity plan and not need it than to need the plan and not have it. –anon

RISKercizing until next time..