Category Archives: Preparedness

Millennials and Cybercrime

Category : Preparedness

This is an article from the USA that focusses on the high incidence of millenials (I hate the phrase but there it is) becoming victims of cyber crime.  I thought the advice was worth sharing so here it is, unedited by me so you may have to translate from American to English. 

Cybercrime has cost victims $126 billion worldwide and it has indeed established itself as a criminal enterprise. Every day, we see headlines on security and data breaches, invasion of privacy, and hacking. Cybercriminals continue to innovate new ways to attack and both private and public sectors remain vulnerable.

Studies have shown that millennials – those who are born between 1982 and 2004 – are among the top victims of cybercrimes. According to a 2016 report by Norton Cyber Security, 40% of millennials have fallen victim to cybercrime in the past year. Eighty-six percent of those surveyed said that they might have experienced a phishing incident, with 30 percent unable to detect a phishing attack.

Millennials are digital natives, and they are undeniably more tech-savvy than the previous generations, so why would they be the most vulnerable to cybercrimes? Despite being the more tech-savvy set, it is worth noting that millennials experienced two different eras of technological developments. Witnessing the internet from its early stages – the slow connection and the huge computers – to the accelerated rise of social media, smart phones, and wireless connection must have made them a bit cavalier when it comes to their online activities.

True enough, reports blame unsafe online practices for this problem.  Millennials can be promiscuous when it comes to their login credentials; they tend to share their passwords to friends and family members. This lack of caution, paired with the use of vulnerable media online, spells security trouble. Another reason is their use of public and unsecured wi-fi networks for online transactions, resulting in sensitive information and credentials to become vulnerable. Most millennials are also lax in terms of using third-party applications, answering online surveys, and providing access to files and documents in online platforms.

How do you protect yourself from cybercrimes?

  • Make it very difficult for attackers to access your accounts by using strong and unique passwords. Make sure to use lower and upper case letters, symbols, and numbers. Change your passwords every three months, and do not use just one password for all your accounts.
  • When installing new network-connected devices at home, do not forget to change the default password. Disable or protect remote access when not necessary.
  • Be cautious and think twice before clicking links and opening messages and attachments. Be suspicious of the sender and the subject line. Most phishing emails come from compromised email accounts of friends. Surveys show that 4 in 10 millennials cannot distinguish between a phishing email from a legitimate one.
  • Limit your online activities when using public wi-fi networks. When you access your personal information using an unsecured public wi-fi, you risk exposing them. Avoid accessing your social media accounts, paying bills and purchasing anything using your credit card while on a public wi-fi network.
  • Be diligent in managing the settings of your social media sites. Make sure that you are not exposing personal and private information. The less you share, the better.
  • Stay updated on news about security breaches. If your bank or a site you have an account on falls victim to cybercriminals, change your password immediately.
  • If you have become a victim of a cyber attack, alert your local police. In some cases, the FBI and the Federal Trade Commission need to be looped in, too. By reporting the crime, however minor it may seem, you are helping prevent criminals from proliferating.

Contact us at Hogan Injury for expert legal advice.

None of the content on is legal advice nor is it a replacement for advice from a certified lawyer. Please consult a legal professional for further information.

What is business resilience?

Category : Preparedness

What is business resilience?

I get asked this a lot! Most people are familiar with the terms ‘business continuity’, ‘crisis management’, disaster recovery and ‘cybersecurity’ but increasingly the term ‘business resilience’ is being used as business continuity experts take on a broader, more overarching role.

So what is business resilience?

As the business environment becomes more technology led and complex, business resilience is getting more attention on the strategic agenda of organisations. It’s about good corporate governance.
The traditional focus on Business Continuity is now being replaced by a broader approach towards business resilience with the traditional resilience expert taking on a broader role, which encompasses:
Cyber Resilience – the ability to withstand and quickly recover from Cyberattacks.Common cyber attacks
Operational Resilience – the ability to carry out the organisation’s business despite the presence of operational stress and disruption.
IT Resilience – the ability to maintain running the organisation’s critical systems & processes no matter what.
Business Continuity Management –the organisation’s framework for identifying and managing business continuity arrangements.

Crisis and Communication Management –strategy and plans to deal with a sudden and significant negative event.

These are all specialist areas. The business resilience expert’s job is to bring them all together to make sure that the organisation can withstand the shocks and strains of unexpected events. Failure to address these risks could lead to business failure.

GDPR Compliance

Category : Preparedness

Survey shows that many organizations may miss GDPR deadline

A recent General Data Protection Regulation (GDPR) readiness survey undertaken by the specialist law firm, Technology Law Alliance, shows that only 18 percent of UK and multi-national organizations are ‘highly confident’ that they will meet the deadline next May, for compliance with the new GDPR.

The survey results showed that the biggest challenges which organizations face, are dealing with the large number of systems on which data is stored and processed, and the lack of internal resource and know-how about GDPR.

With the ‘high confidence’ figure for GDPR compliance by 25th May 2018 being at such a low level, one would assume that this would have the attention of the boards of the respective organizations. However, only 51 percent of organizations indicated that regular board level reporting was being undertaken in respect of GDPR readiness, despite survey responses showing that 78 percent of organizations regard GDPR compliance as more important than other compliance programmes.

In terms of what organizations are actually doing to prepare for GDPR, 89 percent of respondents indicated that their organizations were involved in some form of data mapping or data flow activity. However, only 41 percent had a detailed GDPR compliance plan in place.

Although the survey results revealed that there are clear challenges which GDPR compliance is imposing on organizations, over three-quarters of organizations saw GDPR compliance as a positive initiative. Organizations cited reasons such as: helping them focus more clearly on the way in which data is used internally; becoming more transparent with individuals with regard to use of their data; and improving security within their organizations.

How to defend against cybercrime

Category : Preparedness

Why multi-layered backup is key to business continuity in the battle against cybercrime

This article was originally published in Continuity Central.


When it comes to cyber attacks, Gareth Griffiths says that having a comprehensive business continuity plan is no use if the backups themselves are not secure. Using the example of UK NHS Trusts, Gareth explains why there needs to be more emphasis on the robustness of protection.

NHS England recently released its 2017/2018 Data Security and Protection Requirements, which sets out ten data security standards. This follows a UK National Audit Office (NAO) report criticising the NHS for its handling of the WannaCry attack earlier this year. While there is much to commend in this report I do not think this goes far enough.

One of those data security standards states that “a comprehensive business continuity plan must be in place to respond to data and cyber security incidents”. We think there should be more emphasis on the robustness of protection. Having a comprehensive plan is no use if the backups themselves are not secure. 

When backup isn’t enough

Just as disaster recovery is an essential component of business continuity in the battle against cybercrime, in the case of ransomware attempts, backup is critical. But, increasingly, we’re seeing that having a single backup strategy is not sufficient and, depending on the storage media, potentially even part of the problem.

Historically, there was little risk to backups themselves, yet ransomware adds a new dimension that threatens and attacks not just the data, but also the backups, as was the case with the WannaCry attack.

Because the risks to NHS systems have evolved, the precautions to protect against new threats are evolving too. Similarly, as the drivers for backing up data changes, the way backups are performed should too.

When backup is part of the problem

Today, many NHS Trusts use online de-duplication devices as their primary backup media. These devices can store many generations of backup in a small footprint at a reasonable cost and they are convenient to use and quick to restore from, i.e. no fetching tapes from offsite storage. BUT, they may actually be more vulnerable to malicious or malware attack, as demonstrated by WannaCry’s proficiency at encrypting files. And, on their own, they present a single point of failure.

While you can protect the single failure point by replicating the device to another location, that does not protect against deliberate corruption. Resilience features like replication are great if one piece of hardware fails, but no defence against deliberate corruption; they simply ensure that the data is perfectly corrupted in multiple locations.

Typically, de-duplication devices look just like any other file server (they typically present an SMB share). Unfortunately, that is just the sort of thing that ransomware looks for. Network file servers are where most sites keep their data, so the ransomware looks for these and encrypts them.

In effect, you may have made your backups convenient and easy to use, but also easy to damage and vulnerable to malware like WannaCry. What better way for a cybercriminal to incentivise an organization to pay up than by corrupting their backups as well as the data?

Lessons from history

  • Ten years ago we backed up to tape: safe but slow and inconvenient to restore;
  • Five years ago we changed to backup to online deduplication: Quick, convenient but vulnerable.
  • Today we need both.

Traditionally, data backups were written to tape and stored offsite. While there were, and still are, of course, physical threats to backups, such as damage to hardware and physical disasters (fires and flood, for example) they were not vulnerable to cyber attack.

An offsite tape in a fire-safe with the write-protect switch set remains the safest form of backup from any threats, cyber or otherwise. Backups are best protected when they are maintained offline from production environments to avoid ransomware viruses corrupting backup copies. We refer to this as the ‘gold standard’.

While having an offline or tape backup is a good secure media, it is more challenging to use. Tapes have to be located, loaded and positioned and can only be used by one process at a time. For this reason, many Trusts have a desire to move away from tape, but they haven’t always considered the potential vulnerability of disk-based backups.

Rather than moving away from tape completely, at BridgeHead, we believe that offline media must supplement online backups and provide the second layer of protection. So how can you get the best of both worlds – convenient quick access and secure offsite protection?

We recommend an easy to restore from, but less secure first stage backup with a ‘cascade’ on to tape or similar offline removable media. Because the cascade copying the data is all on backup servers it does not impact production systems. This is commonly called Disk to Disk to Tape (D2D2T). The final copy doesn’t have to be tape, but it must be safe against malware, secure and offsite. Tape is arguably still the simplest media, although some strongly authenticated cloud storage could be considered.

The disk copy, most likely de-duplication, is used for quick convenient restores, while tape is used for site disasters or if the de-dupe device itself gets damaged physically or corrupted. The first layer might be a backup to a de-duplication store or a storage array snapshot that is then cascaded onto tape, or similar offline media, for long-term and more robust backup.

Insurance policy

Much like any other sector, NHS Trusts need to make sure they have robust data backup. There is no one single best practice for backup. But considering, planning and testing disaster recovery and business continuity strategies regularly is an essential part of keeping up with evolving threats and minimising impact on patient care through downtime.

Even with the best firewalls and protection in place, we need to accept that cyber attacks can and will still happen. It isn’t so much if you catch malware as when. What is crucial is that healthcare organizations recover quickly with as little impact on patients as possible.

As the data security standard recommends, Trusts should have a written continuity plan. A well-designed and, crucially, well-tested backup and disaster recovery plan is critical to surviving a cyber attack and we believe that multi-layered backup should be core to that plan.

The author

Gareth Griffiths, Chief Technology Officer, BridgeHead Software. BridgeHead Software delivers data management solutions to healthcare organizations across the globe enabling them to improve patient care.

Energy Resilience

Category : Preparedness

Are you worried about your businesses energy resilience?

Centrica thinks you should be.

Some months ago I had a conversation on this subject with someone who knows a lot about the energy business. I kept meaning to look into it to find out more but never quite got around to it until I saw this article today.

I thought I would share it.

Centrica: Firms urgently need an energy resilience strategy

Centrica: Best to prepare for the unexpected

Centrica says businesses need an energy resilience strategy, suggesting energy security and continuity should not be taken for granted.

The energy firm’s Business Solutions division has produced a research-based report that outlines the poor state of energy resilience today and practical guidance for businesses to implement a more energy resilient future.

The importance of energy continuity

We live in an era of increased business risk and, whilst news headlines focus on threats to business such as cyber-crime, there is a more pervasive and immediate issue in the form of security and continuity of every business’s energy supply. Energy is vitally important to every business, but it is only when an energy-related failure occurs that the operational vulnerabilities of a business become exposed and the need for a secure energy source becomes essential.

Perception vs. reality

There is a disparity between the threat posed by energy-related failures and the degree to which businesses are preparing for them.

Centrica Business Solutions has conducted research across multiple sectors to get a true picture of the challenges posed by lack of energy continuity, and what steps businesses are taking to address them. And though many acknowledge the reality of the threats to their energy supply, most think it will either never happen to them, or someone else will take care of the problem.

The report provides insight into the poor state of energy resilience today and practical guidance for businesses to implement a more energy resilient future.

Stakes are high

The impact of a power failure on any business is potentially huge. And it doesn’t have to be long for its effects to be long-lasting. One out of every ten businesses surveyed said that an outage of only one hour would be catastrophic to their operation.

And power failures affect all areas of business. Operational downtime is a major issue that can also lead to lost inventory and equipment damage. And that all affects the bottom line. Some businesses even state that outages have damaged their overall brand and relationships with customers.

Then there is the human cost. 11% of businesses say employees have been endangered as a result of energy-related failures. That figure is simply unacceptable.

Unfortunately, the frequency of failures is only set to increase:

81% of businesses experienced at least one energy-related failure in the last 12 months and 52% think it likely that they will experience an energy-related failure within the next year – in fact, 5% say it’s a near certainty.

But why?

There are more frequent and increasingly destructive natural disasters due to climate change. Local and national electrical systems – even individual buildings – are an increasingly frequent target for cybercriminals. And the age-old problem of human error remains an unavoidable cause of power outages.

So how can we address the problem?

It’s clear that businesses need an energy resilience strategy in place to protect themselves. Centrica Business Solutions’s research shows that there is a direct correlation between businesses that have a mature energy resilience strategy and positive business outcomes.

To take the next vital step in protecting the energy supply to your business, Centrica recommends downloading the report here.

Bad Weather Preparations for Business

Category : Preparedness

As November approaches I sat down to write about how and why business owners should prepare a plan for the bad weather to come during the winter. Then I found this article published by fsb in their online publication ‘first voice’ in May 2016. I thought that it was well researched and included much of the advice I was going to write and contained some scary statistics to focus the mind.

town floods

You may also be interested in this blog I wrote a while ago. It contains links to some resources you can use to plan. 

When bad weather strikes, this is what business owners need to do.

It is a cliché that the British only ever talk about the weather, but when it comes to business we have good reason to do so. When it turns nasty, the weather could put a small company out of business. If you work somewhere that has never been affected by severe weather, you might think this is not your concern. 

But you could be wrong: indirect consequences of severe weather, such as power cuts, staff being unable to get to weather? The work or suppliers being unable to deliver can be just as disruptive as direct damage to your premises. 

Remarkably, two-thirds of the smallest businesses in the UK have been negatively affected by severe weather events during the past three years, according to research published by FSB last year. Even more worryingly, the average cost of these events was £7,000. But 46 percent of the 1,199 small businesses questioned, most employing no more than 10 people, had taken no action to manage risks related to severe weather; and only 25 percent of microbusinesses have a resilience plan that specifically includes severe weather. 

“Few small businesses have a resilience plan of any kind, let alone one that deals specifically with severe weather,” says Allen Creedy, Chair of the Energy and Environment Committee at FSB. Business owners with no contingency plans will have to hope this winter is not a repeat of 2013-14, the wettest since UK-wide records began, when more than 3,200 commercial properties were damaged by flooding and/or storms.

Counting the cost

Nor is it just the immediate aftermath of an incident that can be problematic. When storms damaged power lines and telephone lines in Berkshire, ValueMAxess, a consultancy serving the pharmaceutical industry, was left without power for 24 hours, and without Internet or phone services for four weeks. Owner Andreas Guhl had to rent an office during this period, adding to operational expenses.

Once the problem was resolved, he put in a claim for compensation, based on costs incurred and lost earnings. At first, the telecoms provider offered him £13, then, after he complained, around £100. 

He then launched legal action. Two days before the hearing, it paid him the full amount claimed. “Don’t be shy,” he says. 

“Take those guys to court.” Mr. Guhl has now relocated to Northamptonshire and put arrangements in place to use rented offices in Northampton or Milton Keynes if necessary. 

Are severe weather events becoming more frequent, possibly as a by-product of climate change? In October, Mark Carney, Governor of the Bank of England, in a speech at Lloyds of London, warned climate change poses a huge risk to global stability. He said the number of registered weather-related loss events had tripled in 30 years. But Carney was talking on a global scale. Are severe weather events occurring more frequently in the UK? “I’m not sure they are,” says Andrew Morrish, Claims Operations Director at Aviva, although he says his firm watches such trends closely. “But even if it’s not a catastrophic, wide-ranging event, for any individual business major weather events can be a catastrophe.”

Action plan

What can small businesses do to protect themselves? Simply keeping up with weather forecasts can help – the Environment Agency provides a free flooding-alert service for firms (and homes) at risk of flooding, with warnings sent by phone, email or text. According to FSB’s research, more than one in five businesses (22 percent) based in flood-risk areas were unaware of this service last summer. FSB also recommends that small companies produce a resilience plan covering the potential impacts including on their supply chain, and consider how easily staff could work remotely if necessary.Resources are available to help a small firm create a continuity plan, but they vary in quality, says Mr. Creedy. “We’re trying, with Government, to set up a one-stop shop, where businesses can get a resilience-plan template, good insurance and advice.” 

It’s important to develop a strategy that suits the needs of the company, says Mark Nicholas, Managing Director of Easy Continuity, a business continuity product and service provider. 

“Look at risks that could render your building ineffective. You need recovery options for buildings, staff and IT.” You also need to have a plan in place that will help you communicate with staff, customers and business partners in the event of an incident. “Customers are more likely to react sympathetically to a disrupted service or a closed facility if they know what’s going on,” says Tim Morris, Director of Marketing at emergency communications technology provider Crises Control.

Take cover

The other key precaution is to ensure you have all the insurance you need. In November, the Flood Re initiative, which helps homeowners at risk from flooding find affordable flood insurance, came into force – but there is no equivalent for small businesses. More than half (52 percent) of small firms based on floodplains do not have flood insurance, with 9 percent reporting difficulties in finding cover, and 6 percent having been refused, says FSB. It is asking the Government for measures to ensure small businesses can access affordable flood insurance. 

Meanwhile, firms finding it hard to get cover should contact brokers who specialise in obtaining it even where there have been previous flooding losses, says Martin Bridges, Technical Services Manager at the British Insurance Brokers’ Association (BIBA). “Our members understand the risk associated with an individual business, and the measures they have taken to reduce the effects of flooding,” he says. 

“The broker may also have details about the likelihood of flooding that they can share to obtain better terms.” In addition, business-interruption insurance can compensate businesses for any reductions in profit and increases in operating costs caused by a business interruption. But only 46 percent of small firms have this type of insurance in place, according to FSB. If you do buy it, check the small print. The 2013-14 floods left Oxford Ironmongery, an architectural ironmongery firm, unable to reach its premises and serve customers for five days, even though the premises themselves were not flooded. Managing Director Julian Newman put in a claim on his business-interruption insurance for five days’ worth of profit – about £2,500 – based on average takings and outgoings over the previous three years. 

The insurer’s loss adjuster recommended that the insurer offer the firm just £47.
“I got in contact with the local media,” says Mr Newman. “The television interview went out at 6.30pm on a Tuesday evening, and at 6.35pm I was having a phone conversation with the head of the insurance company.” The insurer subsequently improved its offer. No one wants to be forced to put the strength of their insurance policies to the test or end up in lengthy media or legal battles. For most small businesses, the priority should be to take reasonable precautions and think of how any impact can be mitigated, should something unexpected strike. As the old phrase goes, forewarned is forearmed.

How to plan for severe weather

Create a resilience plan that covers the potential impacts of severe weather on your business and your supply chain
Investigate the level of flood risk you face and sign up to the Floodline Warnings Direct service (
Plan for staff to be able to work remotely or from home if necessary
Consider additional continuity arrangements
Make sure you have insurance that is appropriate to the risk you face. You can get free insurance-related advice from FSB Insurance Service (

Case Study – Alight buoyant again after floods

Amante Witherick runs the Alight Balloon Company, creating decorative products (pictured) for weddings, corporate events and similar occasions, from a large garage workshop next to her house in the Somerset village of Moorlands. 

When the 2013 floods struck, she expected the house and garage to be flooded, so she moved some stock and equipment to higher surfaces. But the floodwaters rose to a height of 1.5 metres and stayed there for weeks, wrecking the family home and the garage workshop. 

Ms Witherick lost thousands of pounds-worth of stock, equipment and personal belongings. She now believes she could have saved more, but at the time felt unable to do so. “It’s so overwhelming – with everything devastated, you go into this sort of numbness,” she says. “I didn’t answer emails for about a fortnight, so I lost a lot of business.” The family home and garage have now been refurbished, and the company is thriving again. A government grant for domestic flood defences has funded the construction of a new wall that should offer the property more protection. If she were flooded again, the main thing Ms Witherick would do differently would be to act more quickly to move items into a storage facility, and keep trading from there, she says.


Handling the Psychological Impact of Distressing Incidents

Category : Preparedness

Employers need to consider the people side of business resilience. People are our greatest asset but their resilience is often overlooked when it comes to business continuity plans.

I found the following article that details six steps to building a successful strategy to help your staff and therefore your business recover quicky from traumatic or distressing events. 

Managing the psychological impact of distressing and traumatic incidents: six steps to build a successful strategy


When organizations encounter sudden, unexpected and disruptive events, business continuity plans aim to quickly restore operational functioning. However, without stabilising the people who deliver those operations, the best laid plans may only be partially successful. Liz Royle looks at six steps that organizations can take to manage this area.

Managing the emotional impact of a distressing or traumatic event should begin before an incident has happened – particularly for organizations with a predictable risk of encountering them. Strategic planning ensures a proactive, clear and consistent approach for safe systems of work and faster recovery from the people perspective. This article sets out six steps required for a successful strategy and some of the questions that should be considered before implementing any plan.

Step 1: Assess the nature and type of risk
Step 2: Create a clear rationale for intervention
Step 3: Identify responsibilities and engage key people
Step 4: Develop procedures and prepare resources
Step 5: Train staff
Step 6: Test, monitor and evaluate.

The steps themselves should be reassuringly familiar but how do they relate to the psychological aspect?

Step 1: Assess the nature and type of risk

When it comes to distressing and traumatic events, it is worth keeping in mind the following definition:

Psychological critical incident: An event or series of events that may cause significant emotional or physical distress, psychological impairment or disturbance in people’s usual functioning.

There are four main areas to consider and the examples shown for each below are not exhaustive!

  • Major incident: e.g. act of terror, active shooter, multi-casualty incident, line of duty death, man-made disaster (e.g. chemical leak, fire) or natural disaster.
  • Incidents related to the organization’s activities: e.g. armed robbery, transport / heavy machinery accident, violence or physical assault. Some employees will have repeated and extreme exposure for instance emergency services workers, cash handling and transit services, security professionals.
  • Secondary trauma: e.g. repeated exposure to others’ trauma as part of role (think social worker / journalist / emergency services).
  • Unpredictable ‘life events’: e.g. the sudden death of a colleague or suicide of a member of staff. These events can have a huge impact on colleagues. Shock and grief can impact on a team’s functioning just as heavily as a cyber-attack or flood.

Risk management plans can be a good place to start when considering hazards and threats arising from the organization’s activities or certain roles within it but think more broadly. People may be at risk directly or as a witness. One of the most challenging workplace events is a line of duty death. The ripple effects are significant as many people who are not directly involved will be impacted by the recognition that “it could have been me.” This can have a major impact on operational functioning and productivity.

Initial questions to consider in step 1:

  • What are the potential risks to your organization in these four areas?
  • What are the likely frequency and severity of these?
  • Who has been identified as potentially at risk? As well as those directly involved, who may be psychologically affected by these events? Related teams, call handlers / reception staff? 

This is not about wrapping people up in cotton wool but identifying risks in order to address them. As with any assessment, the control measures will be appropriate to the level of risk.

Step 2: Create a clear rationale for intervention

It is important to consider exactly what you are trying to achieve by implementing a support programme. These may be things that the organization is seeking to improve, address or change. Each organization will have a slightly different perspective on this and there will be many people within the organization who think that being proactive and supporting employees is a bit ‘pink and fluffy’.

Any policy must therefore have a clear rationale with an analysis of associated costs and benefits. Often, we find that the people closest to the operational ‘frontline’ have the strongest motivation to address trauma but struggle to convince those with power and influence to implement changes. We can’t be emotional about this topic and have to make a sound business case.

So why should an organization invest in being proactive?

Save money? Early intervention and effective treatments result in financial savings including reduced sickness absence, and costs of sickness cover or overtime and recruitment.

Reduce employee turnover? An effective psychological critical incident programme can contribute to better working relationships and increased employee satisfaction resulting in the organization being able to attract and retain high quality workers.

Increase productivity? As symptoms of mental distress escalate, the individual is likely to experience deterioration of focus, decision making, concentration and assessment of risk. The organization is also negatively affected by mistrust and cynicism towards leaders. If the organization is not perceived to care then why should its employees?

Increase employee morale, health and wellbeing? Supportive management involvement, as part of the post incident procedures, leads to organizational empowerment and reduced stress for managers (and ultimately increased productivity again), through employees being healthier, happier and better motivated. Leadership and morale are both closely linked to resilience and peer support, and can actually help protect individuals against traumatic stress. 

Maintain reputation as a socially responsible organization? There is a wider cost to society arising from psychological critical incidents. Unresolved distress and trauma can lead to family breakdown, violence – inside and outside the home, alcohol or drug abuse and even suicide and homicide.

Protect against litigation? Good procedures for psychological recovery and rehabilitation can reduce exposure to reputational damage and the financial costs of prosecution or litigation. A sound policy will ensure that the organization is able to meet the requirements of health and safety legislation in respect of risks arising from potentially traumatic incidents at work.

Reduce human distress? Last but by no means least, if we get it wrong the results can be devastating in terms of the human suffering and the ripple effect to families and colleagues.

These driving forces will have varying relevance depending on organizational aims and vision.

Initial questions to consider in step 2:

  • What are the top priorities for your organization?
  • Is there consensus on this?

It is important that all those involved are in agreement as to the most important driving forces. For instance, a trade union that perceives the focus as being solely cost-driven rather than welfare-oriented may provide challenges. These two rationales shouldn’t be incompatible but it’s down to how it is presented to all involved!

Step 3: Identify responsibilities and engage key people

Now that you have established the risks and a clear rationale for action, the next step is to engage all involved. The larger the organization the more potential stakeholders there will be to consult with. In order for the plan to be effectively implemented this consultation should be thorough so that any resulting policy dovetails with existing practice.

Avoid simply delegating responsibility to an Employee Assistance Programme or Human Resources. Responsibility should be shared through all levels of the organization.

The organization is responsible for driving the initiative forward, providing the necessary resources (including appropriate professional support), conducting psychological risk assessments for employees and monitoring the overall effectiveness of the process.

Managers and supervisors are responsible for encouraging a working environment where issues of psychological impact may be raised in a supportive and timely manner, identifying when intervention is required and which members of staff may require further assistance.

All employees (at every level) have the responsibility to engage in health and wellbeing initiatives and observe safe systems of work.

Professional support teams, whether this is done via the Human Resources department or an outsourced Employee Assistance Provider, are responsible for providing clinically effective group and individual interventions, liaising with senior management regarding implementation and trends and advising on rehabilitation plans.

Initial questions to consider in step 3:

  • What health and welfare sources are available to employees who are identified as needing further support?
  • Does the service offer effective trauma treatment? N.B. In the UK, many people are unaware that guidelines produced by NICE (National Institute for Health and Care Excellence) specify that non-directive counselling is not usually appropriate for crisis and trauma reactions. It can actually re-traumatise and delay recovery.
  • How has post-incident support been viewed traditionally? Is it acceptable or implicitly stigmatised?

Step 4: Develop procedures and prepare resources

The procedure following a critical incident can be very briefly simplified into three stages each requiring its own detailed process.

1) Identification of critical incident and those in need of support: Managers are the obvious choice for doing this but need to be aware of the major factors predicting psychological trauma and how their team is responding to an event. Responsibility for requesting assistance can be widely shared for example between managers, trade union representatives and employees.

2) Immediate support: Ideally some form of initial support will be put in place before employees leave the workplace. This is informal, focused on safety, practical and welfare needs and may be carried out by a manager or colleague trained in psychological first aid. Information handouts should be made available that normalise responses and offer basic strategies to manage crisis reactions along with sources of support and advice.

3) Follow up intervention and monitoring of recovery: From the point of the incident occurring onwards, assessment is continually required for identifying current and emerging needs. For many people, education and support in the workplace will be enough but you need to consider how and where you will refer those individuals who need a higher level of care. Processes for accessing specialist trauma support and mechanisms for rehabilitation should be clear.

Initial questions to consider in step 4:

  • How will you identify a critical incident and who can start the response process?
  • Do you have incident logs or are you relying on managers to do this? In the latter case, you may be influenced by their subjective judgment of the situation if they are untrained.

Step 5: Train staff

There are different levels of preparation that can be considered by organizations and their relevance very much depends on the level of risk that has been identified. This may take the form of simple awareness building for all employees whether through training or informal input such as briefings or articles in staff magazines.

The higher the risk, the more relevant preparatory training is.

For those who are more likely to encounter critical events, preparatory training can be very beneficial. If they understand the nature of traumatic stress, and are aware of helpful coping strategies, they can take their part in healthy behaviours, feel in control of their recovery and have an expectancy of a return to full functioning. This will help them to be resilient and ‘bounce back’ effectively. It also has the added effects of reducing stigma and making everyone the eyes and ears for colleagues’ welfare.

Psychological first aid skills can be taught to managers or appropriate peer supporters. This ensures that managers have the skills to be able to identify and support employees experiencing traumatic stress reactions. It empowers them in being proactive with their support, avoiding many of the common problems caused by uneducated supporters and ensures that the appropriate level of support is made available to employees involved in traumatic or distressing incidents.

Initial questions to consider in step 5:

  • What training or initiatives are currently provided to support employees’ mental health/wellbeing?
  • Can these be adapted to include information on the new strategic plan?
  • If peer supporters, or psychological first aiders, are appropriate, who will they be and how many are needed to provide resilient levels of cover?

Step 6: Test, monitor and evaluate

Following implementation, an evaluation process is essential to ensure that the policy is operating effectively and not just sitting on the shelf gathering dust. There is no point in it looking wonderful on paper if it doesn’t work or doesn’t get used! Plans for managing the psychological impact of events should be tested as part of any other crisis simulation exercises.

Going back to step 2 and the rationale for intervention, organizations need to consider how they can best measure the effectiveness of the trauma support programme with regard to their original rationale for it.

Examples may include:

  • Sickness absence figures
  • Turnover rates and information from exit interviews
  • Information from workforce surveys
  • Information from team and branch meetings
  • Feedback from managers and peer supporters.

Initial questions to consider in step 6:

  • Who will be responsible for monitoring the implementation and effectiveness of any policy and when / how often will this be done?
  • How are concerns about the process captured and dealt with?
  • What action will be taken in instances where the procedures haven’t been followed, e.g. education of managers?


This article is a first step towards considering your plans and asking some of the right questions. Managing major incidents and roles that are vulnerable to secondary trauma brings additional, more complex challenges so always seek qualified, professional support. Planning for these risks involves many other aspects beyond the scope of this particular article.

A good strategy should be clear, simple, cost-effective and embedded in organizational culture. Where the human side of post-incident operations is handled well, there are great benefits for all concerned with a faster return to operational functioning so it is well worth the effort!

The author

Dr Liz Royle is an international author and speaker with substantial experience of the strategic management of trauma and proactive and responsive interventions for high risk organizations. Her professional experience of trauma was cemented during her time as senior welfare officer for Greater Manchester Police providing 24/7 critical incident interventions to police officers, developing post-incident procedures and managing responses to major incidents such as line of duty deaths and multiple fatalities. She was the lead person for the European Society for Traumatic Stress Studies (ESTSS) Managing Trauma in the Uniformed Services task force for eight years. Since leaving the police service in 2004, she took her skills and knowledge into the private, corporate and voluntary sectors. Dr Liz Royle has written trauma support policies for city councils, police forces and security companies and provided strategic and crisis response support to organizations affected by acts of terror, natural disasters, deaths, violence and serious accidents.

Dr Liz Royle will be speaking at BCI World in November.


Note: The six steps described in this article are adapted from ‘Power to Recover: A complete guide to managing psychological trauma at work’ by Dr Liz Royle and Catherine Kerr (CPsychol).

Preparing Your Business for Winter

Category : Preparedness

Preparing Your Business for Winter

It’s only September I hear you cry!

Why are you talking about preparing my business for winter?

Well, it will be October next week and by then the arguments about whether it’s cold enough to turn the heating on will be over and everyone will have agreed that the time has indeed come.

Having spent much of my adult life preparing for things that might go wrong I thought I would pass a few tips on to you.

I’ve also included links to some resources and if you would like a comprehensive checklist to help you prepare just send me your details in the pop up at the bottom of the page and I will send it to you.


So with winter on its way now would be a good time to think about planning for it.

It’s too late to plan in November when you find that all the snow shovels have been sold and you’ll have to walk over the icy path to your office to get some grit before someone hurts themselves. Remember, you have a duty of care for your staff and customers coming to your premises so you need to make sure you have done this stuff.


The main things that affect businesses in winter are snow storms, power cuts and flooding so what can you do now to make sure you are ready?

Keep an eye on the weather.

Sign up to the Met Office Severe Weather Warning Service

Sign up for their email alerts. It’s free! I wouldn’t normally pay much attention to yellow alerts unless you were in a particularly vulnerable area prone to say flooding but when the alerts get to Amber you really need to take some action.  What action you need to take will of course have been thought about and will be written in your plan.

You could also use the British Red Cross Emergency App. It’s free and might help you prepare your home for winter too.


How will you contact your staff? It may be that the office has no water or electricity. How will you contact your staff to tell them to work from home or other premises?

You may want to think about how you would go about diverting phones so your customers can still contact you, even if your staff are working from home. A VOIP phone service is what I recommend to my clients. It’s the way forward and is so much more resilient than landlines. Mine costs me about £3 a month so it’s also cheap.

How can you communicate with key team members when they are unable to get to the office? Not so much of a problem these days but if you haven’t thought about how you are going to do it before it happens you won’t be able to take advantage of the technology we all carry in our pockets.

What would you do if you and your staff can’t leave the premises because of snow or flooding? Do you have a source of food and water? People do get stuck in their workplace. If that is likely to be a risk for your premises what are you going to do? Remember, you may be cut off without electricity, which probably means no heat or light, or water so you need to think about how you might prepare.

Carry out a Business Impact Assessment. The government has provided some helpful resources here. It will give you an idea of how important your various services are to your business and what you can do without for a while. This allows you to focus on what is really important.

Supply Chain

What happens if the roads are blocked and your supplier can’t get to you?  Do you have plans to increase stock levels for winter? Do you have alternative suppliers?

Do you need fuel for your vehicles? You need to plan to keep them probably at least half full just in case the tanker doesn’t get to your garage.


Need help?

If you would like some help with your planning just send me your email address and I will get back to you with a handy checklist that you can use as the basis of your plan.

Can Macs Get Viruses

Can Macs get viruses?

Yes, they can. 

Now you can get on with whatever it is you would rather be doing or you can read on and get some tips on how to avoid it happening to you.

My Mac was attacked last night but it was unsuccessful so I thought I would write a blog to show you how to avoid becoming a victim.

Many people think that because Macs run on Unix code and have inbuilt protection they are safe. The other factor often mentioned is that as there are fewer Mac than Windows machines the bad guys don’t bother creating viruses or malware for them.

The bad news, if you have a Mac, is that this is not true. It may have been once but not anymore. I’m not trying to sell anti-virus software though. This post is to give you some tips on how you can secure your Mac. Most of it is fairly straightforward and won’t cost you anything, other than a bit of your time.

This is a virus detection on my Mac in September 2017
This is a virus detection on my Mac in September 2017

As the screenshot above shows my Mac was attacked by a W97M Trojan, which is designed to steal your banking details. This came embedded in a regular email newsletter from a trusted source.

This came embedded in a regular email newsletter from a trusted source.

The virus scanner caught and quarantined the files which are embedded in a Word file. If you open the file and allow macros to run then the Trojan installs the Spybot software that is designed to steal online banking details.

So, even if I hadn’t installed virus protection there were a couple of actions required before the malware was installed but would you or a member of your staff open a document from a trusted source? I think you probably would and this presents a risk you need to address now before it happens. 

How can I secure my Mac?

Here are some things you can do to make sure your Mac is secure. 

Turn on your firewall.

You may think it will come enabled but by default it is disabled.  To turn it on go to your settings page and select Security & Privacy. You will then click on the padlock at the bottom left of the window, enter your administrator’s password and then turn on the firewall.

It should just take care of itself after you turn it on but if you have any problems getting applications to work then turn it off again and see if that cures the problem. You shouldn’t get any problems but you may be using software that doesn’t want to work properly, in which case you’ll need some help from your software provider.Turn on Mac Firewall

Install some anti-virus software.

I use McAfee because my ISP is BT and they provide McAfee free to install on all of my machines. Your ISP may provide a free one or you can shop around and find one that suits your purpose. Sophos provide free AV software for Macs and it seems to have a good reputation.

Use a strong password.

There are three settings here you should pay attention to.

The first is the one which allows you to set a password for your account.

The next allows you to specify if a password is needed to unlock your Mac when it goes to sleep or a screen saver begins.

If you work in an office with other people, you should consider switching this setting on.

You can specify how soon after sleep or the start of a screen saver the password is required. The most secure setting is ‘immediately’ but, like everything else to do with security, you need to balance security and convenience. So choose a time period that makes sense to you.

If you are using a MacBook then you really do need to set it to lock within a few minutes, just in case you accidentally leave it on the train, like civil servants do. Don’t forget to disable the automatic login or it’s all a waste of time!

Encrypt your hard drive.

In the security and setting section, there is a tab called FileVault. Click it and enable FileVault. Choose whether to unlock your files using your icloud account or with a key.  

Your hard drive will then encrypt everything. It will take a while, depending on how much data you have but it will do it in the background while you work on.  

This is particularly important if you are using an external hard drive or SSD because someone could just pick it up and be away with it. Filevault page

Turn off Bluetooth.

but not if you are using a Bluetooth mouse, trackpad or keyboard. You are probably quite safe using Bluetooth on your desktop Mac but on your Macbook, you are exposing yourself to potential threats if you are out in the world with it switched on.

Enable two-step authentication wherever you can.

Most applications, websites etc will now offer you 2 step authentication that involves them sending you a text or email message with a code to enter whenever you try to access or change anything like a password. This will prevent someone hacking into your account.

It works. Someone tried to hack my wife’s account last week but the 2 step authentication meant she was notified and was able to go and change her password as a precaution.

Use a VPN

If you are out and about with your Macbook use a Virtual Private Network (VPN).

I’m not saying your favourite coffee shop wifi is dodgy but if you connect to any network that isn’t yours, you are at risk.  

There are loads of VPN services available. Most of them are paid for so you can shop around and find one that suits you.

I don’t use a lot of unsecured wifi, preferring to use my phone to tether my laptop and use 4G networks but I do use a VPN called TunnelBear for occasions when I have no alternative. It is free for a limited amount of data.

You could set your own up on your home router if it’s capable of providing a VPN solution and that would be free. You would need to have a reasonable broadband speed at home otherwise your connection would be too slow and that’s annoying.

It’s not that easy to setup if you’re not clued up on it but it’s an option you could explore. You can’t do it with the standard router BT give you.

Turn off sharing.

If you don’t need to have sharing on then turn it off. You may need to share stuff but most people won’t. Make sure none of the boxes on the left are ticked.Mac sharing

Don’t click on links or open documents in emails unless you are sure you know what they are.

As I mentioned at the start of this post you can’t even trust emails from organisations or people you know because their accounts may have been hacked and are being used by bad guys. This has happened to me on 3 occasions in the past few months where a company I have done business with has been hacked and used to send out malware or phishing attacks. When the GDPR comes into force I hope companies start paying a lot more attention to their security.

So that was a quick 9 steps to securing your Mac. I hope you have found it useful but if you need anything more specific please get in touch. If I don’t know the answer then I have associates who can help you.

If you would like to receive regular stuff about making your company more resilient then please complete the boxes and I will add you to the list.

Regulatory Compliance

Category : Preparedness

What is regulatory compliance?

I was helping a startup business get off to a good start by helping them with advice on how to make the company resilient but it soon became clear that they also needed to understand the regulations they needed to comply with.  So I thought I would use my years of experience of compliance to give you the information you need to keep your business on the right side of the law.

This advice is not specific. It can’t be because all I can do in a post is generalize and give you the basics. You will need to seek out specific advice for your own circumstances if you think there may be some other regulations you need to comply with than the ones I am talking about here.

What does compliance have to do with resilience? That’s an easy one. Resilience is about taking a holistic view of your business and managing risks. Compliance is also about managing risk, although these have been pointed out to you by regulators and probably feel like just another burden, although they are there for a good reason. 

Failure to comply.

If you have failed to comply with fire safety regulations for example and your building burns down it may be your own fault. It will certainly be a really good excuse for your insurance company to say ‘NO’ and then the survival of your business is probably in serious doubt.  

So here is a list of the regulations and the documents you may well have to complete but remember my caveat above, this is a generic list and your situation may be different.

Clicking on the links in the tables will take you to simply-docs website where you can find more information and download the template for yourself. Some of the links may break over time but they will take you to the simply-docs website that will guide you to where you need to be.

You’ll have to pay for most of them but it may save you a lot of time. Alternatively, you can ask a consultant to complete them for you if you would rather be doing something more interesting.


If I can help you with any of this just get in touch. 03333 440889 or email me on

Sole Trader / Partnership

Essential Documents

Recommended Documents
Health & Safety Policy Statement
Health & Safety Policy
Health & Safety Arrangements and Procedures
Fire Safety Policy
Fire Risk Assessment
Asbestos Register
Risk Assessments
Accident reporting forms
Asbestos (ACM) Initial Damage & Disturbance Inspection

Environmental Policy

Waste Management documents

Manual Handling forms

Safe Driving


Small / Medium Sized Company

Essential Documents

Recommended Documents
Health & Safety Policy Statement

Health & Safety Policy

Health & Safety Arrangements and Procedures

Fire Safety Policy

Fire Risk Assessment

Asbestos Register

Risk Assessments

Accident reporting forms

Asbestos (ACM) Initial Damage & Disturbance Inspection

Environmental Policy

Waste Management documents

Manual Handling forms

Safe Driving




Essential Documents

Recommended Documents
Health & Safety Policy Statement
Health & Safety Policy
Health & Safety Arrangements and ProceduresFire Safety PolicyFire Risk AssessmentAsbestos RegisterRisk AssessmentsAccident reporting forms
Asbestos (ACM) Initial Damage & Disturbance Inspection

Environmental Policy

Waste Management documents

Manual Handling forms

Safe Driving





Essential Documents

Recommended Documents
Health & Safety Policy Statement
Health & Safety Policy
Health & Safety Arrangements and ProceduresFire Safety PolicyFire Risk AssessmentAsbestos RegisterRisk AssessmentsAccident reporting forms
Asbestos (ACM) Initial Damage & Disturbance Inspection

Environmental Policy

Waste Management documents

Manual Handling forms

Safe Driving

Display Screen Equipment forms


Factories and Workshops

Essential Documents

Recommended Documents
Health & Safety Policy Statement
Health & Safety Policy
Health & Safety Arrangements and ProceduresFire Safety PolicyFire Risk AssessmentAsbestos RegisterRisk AssessmentsAccident reporting forms
Asbestos (ACM) Initial Damage & Disturbance Inspection

Environmental Policy

Waste Management documents

Manual Handling forms

Safe Driving

Display Screen Equipment forms


Essential Documents

Recommended Documents
Health & Safety Policy Statement
Health & Safety Policy
Health & Safety Arrangements and ProceduresFire Safety PolicyFire Risk AssessmentAsbestos RegisterRisk AssessmentsAccident reporting forms
Asbestos (ACM) Initial Damage & Disturbance Inspection

Environmental Policy

Waste Management documents

Manual Handling forms

Safe Driving

Display Screen Equipment forms


Residential, Nursing and Care Home

Essential Documents

Recommended Documents
Health & Safety Policy Statement
Health & Safety Policy
Health & Safety Arrangements and Procedures Fire Safety PolicyFire Risk AssessmentAsbestos RegisterRisk AssessmentsAccident reporting forms
Asbestos (ACM) Initial Damage & Disturbance Inspection

Environmental Policy

Waste Management documents

Manual Handling forms

Safe Driving

Display Screen Equipment forms


Small Hotel/B&B

Essential Documents

Recommended Documents
Health & Safety Policy Statement
Health & Safety Policy
Health & Safety Arrangements and ProceduresFire Safety PolicyFire Risk AssessmentAsbestos RegisterRisk AssessmentsAccident reporting forms
Asbestos (ACM) Initial Damage & Disturbance Inspection

Environmental Policy

Waste Management documents

Manual Handling forms

Safe Driving

Display Screen Equipment forms


Transport and Logistics

Essential Documents

Recommended Documents
Health & Safety Policy Statement
Health & Safety Policy
Health & Safety Arrangements and ProceduresFire Safety PolicyFire Risk AssessmentAsbestos RegisterRisk AssessmentsAccident reporting forms
Asbestos (ACM) Initial Damage & Disturbance Inspection

Environmental Policy

Waste Management documents

Manual Handling forms

Safe Driving

Display Screen Equipment forms




Warehouse and Storage

Essential Documents

Recommended Documents
Health & Safety Policy Statement
Health & Safety Policy
Health & Safety Arrangements and Procedures Fire Safety PolicyFire Risk AssessmentAsbestos RegisterRisk AssessmentsAccident reporting forms
Asbestos (ACM) Initial Damage & Disturbance Inspection

Environmental Policy

Waste Management documents

Manual Handling forms

Safe Driving

Display Screen Equipment forms


How to Write an Incident Response Plan in 10 Steps

Category : Preparedness

I am in the process of developing an incident response plan for a client and thought that it would be good to share the 10 points you need to consider when writing your incident response plan. Having spent almost 3 decades responding to emergency situations I have learned that the key to successfully overcoming an emergency event is preparedness.  Preparedness means that you have thought about what might happen, have taken steps to minimize the impact of the risk, written a plan about what to do with those risks that can’t be eliminated, tested it and trained all concerned in its use.  This post will concentrate on developing the plan. I’ll talk about the other aspects in other posts.

Impact Analysis

  1. The first thing you need to consider is what could be the impacts on your business from a variety of events. You may think about floods, fire, pandemic flu, power failure, loss of telecoms, loss of water supply, terrorist activity etc.  The key here though is not to write a plan that addresses each of the possible scenarios, that would be too much like hard work and would end up in plans for events that would never happen.  Instead, you need to focus on the impacts of those type of events. The impact of a telecoms outage, power failure or a fire could be similar and amount to a loss of internet connection for example. Transport disruption from a heavy snowfall may have the same impact as a flu pandemic, both may prevent staff getting to work.  So it’s the loss of internet connection or staff shortage you are planning for, not the event itself.

Flexible Plans

  1. Your plan is going to have to be flexible. You can’t write a plan that addresses every eventuality that you have meticulously thought through. Life isn’t like that and the incident you find yourself in will be unique so you will need flexible response modules covering the broad areas of staff shortage, supply chain issues, infrastructure issues for example. The aim is to have a series of response plan checklists that you can use but that is not so rigid and prescriptive that they hamper the response.

Chain of command

  1. Once you have an idea of what your plan should contain you need to think about the chain of command. During my time in the emergency services, the chain of command was fairly easy to identify because everyone has rank and levels of training appropriate to their role. It’s not so easy where people don’t wear uniforms or have emergency response as their main role so you will have to give careful thought to whom in your organisation does what. It may be that you think the CEO should head the response but my experience has taught me that this is probably not the best use of the CEO. An operational director is probably most suited to leading a response to an operational issue, an HR director to a human resources issue for example. This strategy releases the CEO to carry on running the company and ensuring business as usual as much as possible or to being the talking head for the media if the incident warrants it.

Activation of the plan

  1. Activation protocols are really important. How do you know when you are in an emergency and the plan needs to be activated? Who will be responsible for activating the plan? How will the plan be activated and those involved alerted? These are all questions that need to be answered in the plan and it needs to be absolutely clear or the plan will fail.

Emergency Response Room

  1. Where are the response team going to work from? Is there a conference room that can be converted to an incident response room or are you looking to outsource the incident response room? Some hotels and conference centres, as well as dedicated providers, can provide facilities you can use if you don’t have suitable premises or don’t want theEmergency response room expense of maintaining them. An important point to remember here is that it may be the premises that your incident response room is in that has the problem so you may need to deploy elsewhere.


  1. Communications! In almost every sizeable incident or exercise debrief that I have been involved with, communications is the area that always could have been better. You need to be really clear about communication channels. Not just the mechanics of it like providing an emergency response email account everyone can use during the incident or a special telephone number but you also need to detail who is going to communicate with whom. The incident commander clearly shouldn’t be spending much time talking on the phone so the team need to understand their role, for example, one person should be dealing with the emergency services, another should be communicating with the media, another should be talking to suppliers etc.

Testing the Plan

  1. Test the plan or it won’t work. I guarantee that your plan won’t work when you first come to test it. Not because you or your consultant expert haven’t written a good plan but because the devil is in the detail. It’s a bit like playing golf. You can read about it as much as you like, you can practice it on your PlayStation and you can watch YouTube videos forever but it’s only when you get out on the course and start hitting balls you really begin to understand what to do. I have spent a lot of time approving plans and it’s worth telling the story about the time one senior manager came to me with his ‘finished’ plan. He had never tested it. The plan involved relocating him and his team to another office in the city. As I ran through the plan with him it became clear that neither he nor his team had ever been to the standby office, they didn’t know how they would get in there as it was not normally manned and they didn’t know what equipment they had at their disposal once they got in. It quickly became apparent that the plan was all but useless as they hadn’t really thought it through. The office they were going to use was seriously inadequate for their purpose so in the end the plan was abandoned and they started again, using different backup premises.


  1. Now you have a plan you are going to have to train your staff in how to use it. This is a good opportunity to also test the plan. If you bring your team together to train and test at the same time you will quickly make changes to the plan that will make it work better. You would be well advised to use someone independent of the planning or response team to facilitate this training/testing. It’s amazing how much confirmation bias comes into play when the planners are running the exercise! What you want to achieve is a team that can be involved in the further development of the plan, can make mistakes and try new ways of doing things in a safe environment and will, therefore, buy into the plan and make it better if you ever have to use it.

Plan Review

  1. After every exercise and incident, you will need to conduct a review. This will almost always lead to some changes to the plan because you will learn something every single time. The questions the review should ask are: What went well? What went badly? What lessons did we learn?  What changes do we need to make? Again, finding someone independent of the planning or response teams to facilitate the review will lead to a better outcome.

Rinse and Repeat

  1. Rinse and repeat. Unfortunately, it’s not all over once you have written the plan and tested it. The world around us changes, your organisation changes and your people change. You will need to keep going round the cycle on a regular basis.  Your staff will have day jobs and emergency response will be something they do infrequently if at all, so they need to be regularly training if your response is to be effective.  Emergency services do emergency response day in day out, this is their day job but they still train for those once in a lifetime events. That’s why our emergency services response is as good as it is and if your response is going to be as good as it can be you need to train. If you don’t your response may well fail and the consequences of that could be catastrophic to the business.

Developing a workable plan isn’t always straightforward and you may not have the people in-house to be able to develop one. I would also recommend that you use someone independent to help with training and testing the plan. My blog here will give you an indication about what consultancy services might cost.

What is Business Resilience?

Category : Preparedness

What Is Business Resilience?

I am often asked ‘What is business resilience’?

A lot of people aren’t sure what it means and that isn’t surprising as it’s a relatively new term and most small businesses and startups don’t factor it into their business planning.  This, I believe is a mistake, especially for a start-up or a business undergoing some kind of restructuring as these times are the ideal opportunity to ensure your business processes are robust.

So, let’s try to unpack what business resilience is. In this article, I will list some of the elements that combine to make a resilience strategy for businesses. These are the main elements but, in order to keep this post reasonably brief, there are a lot more than I mention here such as compliance, finance etc. Each of these elements is an area of specialisation that has experts who deal with them and them alone. The trick that the resilience consultant has to do is to have an understanding of all of these specialist areas and then pull them all together into an overarching strategy, making sure the business is resilient to whatever challenges come its way.

Flood damaged buildings

Business resilience is about running your business in a way that addresses the risks of failure.  Being aware of and controlling those risks allows for better efficiencies and more robust systems for running your company.  The purpose of this blog is to help those who aren’t quite sure what it means to have a better understanding of why they really ought to consider investing in business resilience.

Business Continuity Management

Many people will be familiar with Business Continuity Management (BCM). It’s an industry that’s been around for many years and is concerned with looking at how your business will recover from disruptive incidents such as a flood or fire and making a plan to deal with the impacts. It is still a really important part of looking at resilience and has its place in planning for the unexpected.  In the olden days, we used to call the result of BCM planning a Contingency Plan, which describes pretty much what it was and what it did. It told us what to do when the wheels fell off but it doesn’t really help avoid the incident having an impact in the first place. We need something more holistic to do that.

Crisis Management

Crisis management is another area of expertise but a lot of people misunderstand the term because it isn’t a particularly descriptive name. Crisis management is about what you do when your brand is affected by an adverse event, let’s say your product has been implicated in harming someone. Clearly, there are all the things you have to do to when something like this happens, test the product, withdraw it from circulation etc but the bit we call

crisis management is the bit where you set about to reassure your customers, the public, the regulator or any other interested parties that your company will investigate, find
out what the problem is and put it right. In short, it’s reputation management. With everyone having access to social media it is extremely important that you can react instantly to a crisis and the only way you are going to do that is by having a robust, practised and well-tested plan.

For more on crisis management, you could have a look at another post I did earlier.

Risk management.

Resilience is all about risk management. It’s about mapping out the risks to the business and finding ways of mitigating them. Large companies refer to Integrated Risk Management and invest a great deal of time, money and energy into trying to draw all of the risks together and manage them. It’s difficult because large corporations tend to focus and resource on whatever is niggling them at the time, new regulation, new product lines etc.

What does the resilience consultant do?

One of the roles of a resilience professional is to help people map out their processes and look for areas of vulnerability, spot the risks and think of ways of mitigating them.  Much of the time we can get rid of the risk entirely with good planning. This is what resilience is about, not just about what we do when things go wrong (and they will) but what we do to prevent them going wrong in the first place. It’s about planning for the consequences and not the causes. The cause of the telecoms outage is secondary to the impact it has on your business and business resilience is how you continue to offer your services or products to your customers despite the unexpected.

What does Business Resilience Cost?

The government is pushing the ‘resilience’ agenda for all businesses and communities, and my mission is to make it accessible and affordable so small businesses will have access to the same level of advice as large companies. In many ways, it’s easier because a small business isn’t as complex as a large corporation and that’s why it will be more affordable than you think to ensure your business is set up to deal with whatever comes your way. I have written a blog about expected costs, you can find it here.






How much does business resilience cost?

How Much Does Business Resilience Cost?

If you are reading this you probably know you need to do something to understand the risks your company faces and want an idea of the costs you might expect to make your company more resilient.

If you are just reading out of curiosity you may wish to bear in mind that companies who haven’t invested in their resilience are more likely to fail when some adverse event takes place. 

Resilient companies also see improved systems of work because they have looked at and mitigated the risks.

The business in ashes.

Business Resilience isn’t just a new name for Business Continuity, it is much more than that.

Business Continuity is still important but technology means that a lot of the traditional risks such as loss of premises when your team can work remotely are not as serious as they once were.

Business Resilience is about looking more holistically at the risks faced by your company and working out ways of removing or mitigating them.  It covers Business Continuity, Cyber Security, Crisis Management, Disaster Recovery and a whole host of other areas that were traditionally separated, often in silos, which is never good.

Finding a Business Resilience practitioner can be more difficult than finding niche specialists but it’s no more expensive.

When it comes to the cost of hiring a consultant or employing a business resilience specialist you probably won’t be surprised if I said, ‘it depends’ but read on and I will give you some useful information that might help you make some important decisions to improve your businesses resilience.

Building a resilient business is an ongoing set of processes and it depends on where you are now and where you need to be. 

Are you just starting out or are you an established company that is expanding and now needs to think a bit more strategically about how you will survive if something untoward happens?

Do you need to have ISO accreditation or do you just want to make sure your processes are robust and resilient?

Do you just want a Crisis Management Plan because social media is outstripping your ability to respond to criticism or high profile incidents?

So, I have put together a list of things you might need to do and I will give you an idea of what they might cost if you employed a consultant to help you.

The caveat is that these are estimates. If you want me or any other consultant to do any work for you make sure you have a discussion and a clear idea on costs and the scope of the project before the work is started.

I won’t do any work unless I have agreed exactly who was doing what for whom. That way we will all avoid misunderstandings.

Some of the things you need to consider when making your business more resilient will include:

  • Business Impact Analysis (BIA) –

A BIA looks at your business operations and assesses the potential effect of a disruption.

The BIA can be conducted at operational, tactical or strategic levels.

How much this will cost depends on the size and complexity of the business but for an operational level assessment for a small business with a limited number of products or services you are probably looking at around £3-400. At the other end of the spectrum, it will cost thousands.

  • Threat Mitigation Measures –

The BIA will identify risks, some of which may be easily mitigated by redesigning the process but for others, it will be necessary to develop some intervention measures.

This stage is about improving the resilience of your company and may take some time. I wouldn’t like to guess how much that might cost because it is very much a piece of work that needs collaborative working between your team and the consultant.

Consultants would charge somewhere between £400 & £800 a day but your team may well be able to do much of the work with some guidance.

It may take a day or it may take some weeks or months off and on. It really depends on the complexity of the business.

  • Developing an Incident Response Structure –

If you have an incident you are going to have to manage it.

I have a wealth of experience in incident response so I am well placed to help you.

If your company is small then I can probably develop a structure for about £300. Again, if your company is more complex it will cost more but shouldn’t be much more than £1000.

Once your structure is decided though you will need to train the team members in their role and develop the plan in the light of the training and exercising experience. This will obviously add to the costs.

  • Business Continuity Plan (BCP) –

A BCP can be a complex beast, depending on the complexity of the business and what you are trying to manage.

It could be made up of several sections covering such things as incident response, media response, major hazards, disaster recovery, cybersecurity, continuity of supply etc.

Clearly, with such a huge scope it would be very difficult to give you a cost but the cost of each of those parts may start at around £3-400, again, depending on complexity.

  • Plan Validation –

Once you have your plans in place you will need to validate them.

This will involve training staff and exercise the plans.

You will need to do this regularly so that everyone knows what their role is and so that you can be sure that the plan will actually work.

Again, it’s really going to depend on the scope of the training and exercising.

While you may be able to do the training in-house it is advisable to have someone independent doing the exercising.

I have a great deal of experience in all levels of training and exercising ranging from a short table-top walk through to full-blown multi-agency live play exercises. The former will cost you around £500 and the latter will cost much more.

  • Crisis Management Plan (CMP) –

A CMP forms a distinct part of the BCP and deals with the mechanics of how you will manage a disruptive event.

It’s about communication, internal and external with the public, shareholders, suppliers, and customers.

It’s about how you will put together teams to respond effectively to protect life, reputation and the ability to continue or recover operations.

A CMP has many parts, depending on the complexity of the company but a basic plan will cost around £1200 for a small company.

Hopefully, this has given you an idea of what costs might be involved to make your business more resilient. You could employ someone as a member of staff, which will cost the business around £80,000 – 90,000 per annum. Alternatively, you could use a consultant, allowing you to manage your costs and without the attendant expense of having an employee.  I will write a blog on how to choose a Business Resilience Specialist later so please sign up to regular emails to make sure you don’t miss out.

If you are unsure what you need but know you need something (and why would you have read all the way to the end of this post if you didn’t) please get in touch and I will do what I can to help.

Incident — Westminster Bridge / Houses of Parliament— Wednesday 22nd March 2017

Incident — Westminster Bridge / Houses of Parliament— Wednesday 22nd March 2017

Estimated reading time 6 minutes.

At lunchtime yesterday, Deputy Assistant Commissioner Lucy D’Orsi, Senior National Coordinator Protect and Prepare, spoke to Industry Sector Leads on a Cross Sector Safety and Security Communications Bridge Call. Please find below a copy of what she said to businesses.

I would like to brief you regarding the tragic circumstances of the incident on Westminster Bridge and at the Palace of Westminster on Wednesday.

To quote Assistant Commissioner Mark Rowley “We prepare for it but never expect to have to do it”. Our thoughts are with the friends and families of those killed and injured.

You will be aware that On 22 March 2017, at approximately 1440hrs a vehicle drove into pedestrians on Westminster Bridge. The suspect then left the vehicle and proceeded to stab a police officer multiple times near to the Palace of Westminster. The suspect was then shot dead by a responding police officer.

Four people have been confirmed dead (one police officer, Keith Palmer, the suspect and two members of the public). There are twenty-nine other casualties (including a further three police officers), seven remain in a critical condition.

This is an ongoing police investigation being led by MPS Counter Terrorism Command. I can confirm, during the night, we have searched six addresses – and made seven arrests. The inquiries in Birmingham, London and other parts of the country continue.

It is still our belief – which continues to be born out by our investigation – that this attacker acted alone on Wednesday and was inspired by international terrorism.

At this stage, we have no specific information about further threats to the public. Clearly our investigation is ongoing – developing all the time – and is focused on his motivation, his preparation and associates.

Police and partners are doing everything possible to protect the public.
We are reviewing the policing and security around events and crowded places over the following fortnight.

Specialist teams, well-rehearsed at dealing with major incidents, continue to provide a strong visible presence throughout the capital and across the UK.

The large and complicated crime scene remains in place and our work there continues – I would like to thank everyone for their support and patience as we finish this work. We will endeavour to reduce the size of police cordons as quickly as our investigation allows.

As a precautionary measure we have increased the number of officers on duty to provide a highly visible, reassurance presence (both armed and unarmed) across the country for as long as is needed.

The UK threat level has been ‘SEVERE’ for some time and this level will not change.

The level of threat is complex and ranges from lone actors intent on carrying out crude attacks to sophisticated networks pursuing ambitious and coordinated plots;

We urge the public to remain alert but not alarmed. The Police Service and our partners are doing everything we can to help protect people, public institutions, critical national infrastructure, and businesses and crowded places.

Our security measures and activities are under constant review to reflect where the threats exist and the level of threat we are facing. You will have already noticed a substantial uplift in police patrolling, particularly in the central London area. This is being replicated across the country and will continue as we seek to reassure the public and respond to this attack.

As always, we advise the public to remain vigilant and to report any suspicious behaviour or activity to the Anti Terrorism Hotline on 0800 789 321 or in an emergency the public should always call 999. Please reinforce that to your workforce.

I appreciate that you have responsibility for the security of buildings and therefore a large number of people. It is important at times such as these that the police security stance and that of the private sector is joined up. To ensure that we are joined up, we are recommending that you consider some protective security tactics to aid your security at this time, whilst remembering that the threat level remains at ‘SEVERE’.

The attack incorporated multiple methodologies – as such no one security element will wholly mitigate such attacks. We also understand that you have differing priorities, some of your ISL members being responsible for large iconic sites and others for small businesses, but the message remains the same to you all – effective security and effective communities defeat terrorism.

We know that terrorists will undertake hostile reconnaissance ahead of conducting an attack and increased vigilance by staff and the creation of a hostile environment combats such hostile reconnaissance. You should refresh the knowledge of staff that have received Project Griffin and Argus training and deploy staff who have received training in behavioural detection (where you have them).

Staff should be encouraged to be proactive in challenging visitors, vehicles, and anything out of place.

You should also consider the following options from our ‘Stakeholder Menu of Options’, particularly around crowded place, night-time economy, and iconic sites:

D Review patrol strategy (be unpredictable). Adopt high visibility clothing.
E Brigade resources with neighbouring contracts/buildings

F Report any suspicious activity in a timely manner. Early reporting of suspected hostile reconnaissance is vital in combating terrorism.

G Implement communication links with surrounding premises to pass on information about suspicious activity/behaviour.

H Consider closing non-essential access and egress points.

I Focus CCTV on all communal areas and vulnerable points.

J Ensure CCTV is fit for purpose.

This is not an exclusive list and I recommend you look at the full menu (see the NACTSO website below) and consider any other options that suit your premises or organisation.

You should also review your building and business continuity plans in the light of this attack. You should ensure that first aid points are fully stocked and the location of key equipment is made clear to all staff. We also recommend that staff are directed to the Citizen Aid app and Run, Hide, Tell on YouTube. The number of casualties treated by the public highlights the importance of understanding first aid.

NaCTSO has refreshed its latest guidance on recognising the terrorist threat and I would recommend you access this at

The following links provide additional useful information that may assist when deploying the tactical options;

You will also be carrying out your own reviews of security levels and some of you will have innovative and new ways of delivering protective security, which you may wish to share with other partners. If you deploying such tactics and are willing to share them, please forward them to NaCTSO who will circulate them. Please contact them on

We are also engaging extensively with communities, as we always do and have an extensive and well rehearsed plan to work with communities at this time. Today a meeting of faith leaders was held here at New Scotland Yard. Our community message will be circulated to CSSC after this call and I would urge you to pass that messaging on as appropriate.

We do recognise that, at times like this, there can be a rise in hate crime and we are keen to reassure all communities.

I want to thank the public for their support and all their good wishes – I know it is appreciated by all those men and women who are out there today protecting us.

I wish to reiterate that the UK national threat level remains at SEVERE: An attack is highly likely.

Haulage Company Incident Management – Forth Bridge Incidents

Haulage companies will be aware of two recent incidents on the Forth Road Bridge, when drivers ignored signs showing ‘High winds – bridge closed to high sided vehicles,’ and caused chaos across Scotland’s central belt.

Estimated reading time 4 minutes.

When you heard about these incidents, did you imagine the damage to your company’s reputation if something like this happened to one of your fleet? In this blog I will give you some pointers on how you can prepare to respond appropriately.

In the first incident this year on 11th January, a Currie European lorry driver ignored the signs and overturned on the Forth Road Bridge, leading to its closure for about 19 hours. The second incident this year was on the 14th March and like the first, it caused chaos not only at the bridge but all over Scotland’s central belt, as traffic was forced to divert.

You can imagine the strength of feeling that flooded social media. The twitter feed for the second incident that occurred on the 14th March will give you a flavour:

In both these incidents the haulage companies failed to respond in any way to the social media storm that was unleashed.


In the case of Currie European, photos of the upturned vehicle with the company name all over the news can’t have been very good advertising and are still available on the internet now for anyone to see.

So, what is a transport firm to do about this? How can you manage your reputation when an accident caused by one of your vehicle leads to widespread disruption and a social media shit-storm slagging off your company?

Well, HGV driver training and a robust company policy are good places to start but not every incident is the result of poor decision making on the part of the driver. Sometimes accidents happen!

What was clearly lacking from both incidents is any kind of Crisis Management Plan. Thousands of tweets mentioned Currie European on the 11th and 12th of January. How many tweets did Currie European put out in response?

This is their twitter account, as of today (15th March 2017) and there are exactly ZERO tweets, ever.

It’s obvious then, that they missed an opportunity to protect and even enhance their reputation. The public gets upset when accidents happen that spoil their day but if the company responsible at least apologises and assures everyone they have a plan and are going to put things right as soon as possible, it can enhance their reputation as a company that cares.

So, what do you, the owner or director of your haulage company, do?

You need to have an action plan in case of a crisis. I am told that in one incident the company MD was not informed of the incident until he came to the office several hours after it happened. While this anecdote may just be hearsay, what is obvious is that the company had no plan for how they ought to respond.

A quick list of actions you should consider when devising your plan would be:

Decide in advance what your social media response will be.
Have pre-agreed tweets, press releases, and Facebook messages ready to be sent out by duty operational staff immediately. If you wait, it will be too late and the damage may be irreparable.
Have a mechanism for informing senior managers so they can respond.
Be prepared for the MD or other senior director to face the media.
Ensure that an operational team is trained and ready to respond to the actual incident.
Make sure the plan is understood by everyone, and is tested and trusted.
Make sure everyone is trained to carry out their role.
So, what are the benefits of doing all of the above? You will protect and probably enhance your reputation. Past incidents demonstrate that any company who responds positively, no matter how grave the situation, comes out on top.

The senior person who fronts the media gives the company a human face. People react positively to being treated as humans by humans.

When the MD looks straight at the TV camera and says ‘Sorry for the disruption, we are doing all we can to put things right and we will learn from this, ‘public outrage softens and people will come to your defence. People know mistakes and accidents happen, it’s how you deal with them that makes the difference and you can only do that if you come prepared.

When the inquiry comes, as it surely will, you will be able to point to the actions you took to rectify the situation, showing that you are a caring, responsive operator who had done all you could do in preparation for something going wrong. Regulators like that sort of thing. I know, I used to work for one of them.

If you need any help with your planning, please do get in touch.


Cyber Attack – How much does it cost to fix?

Category : Preparedness

How much does it cost to fix a cyber attack?

Estimated reading time 4 minutes.

Wynn kindly wrote the following blog for me and goes beyond the original question, explaining the new laws coming into effect next year. You need to know this!  He also gives useful advice on how to protect yourself from the attack in the first place.

cost to fix cyber attack


The question, what is the average cost to fix a cyber-attack. Good question, but difficult to answer. It depends on the business and also depends on the type of attack used by the very organised cyber criminals these days. On average, UK SMBs suffer a cyber-attack seven million times a year, with the average hack costing them £3,000, new research has shown. (This is based on a study from mid 2016). The Federation of Small Businesses (FSB) found that SMBs are the victim of an average of four cyber-attacks every 24 months, with 66 per cent of the 1,006 organisations surveyed having been a victim of cybercrime at some point.

Taking into account the increased complexity of attack vectors being used by cybercriminals and the fact that the vast majority of cyber-attacks go unreported to the authorities, the number is much higher and will only continue to grow. Especially when one considers that the introduction of the new General Data Protection Regulations, GDPR, become compulsory as of 25th May 2018. As of that point all businesses who store any personal data of any citizen of the EU will be held responsible for the protection of the said data. This doesn’t mean just the processing of card payments, as most people mistakenly believe now, but plain old names, addresses, email addresses, telephone numbers etc…

Common cyber attacks

As of May 2018, you will be held responsible for any data breach of any personal data you hold. Not only that, if you do not report any hack, you will be in even further trouble. Attacks have to be reported to the DPA, data protection authority, within 72 hours of the breach. You will also have to prove that you have taken all reasonable precautions to prevent any such attacks.

You will no longer have the excuse of; I didn’t know about the new regulations! The new regs state very clearly that it is the business owner’s responsibility to ensure that they know the laws and have made every effort to secure the data that they are responsible for, whether it is in their possession or a third-party supplier. If you attempt to feign ignorance, you will receive extra penalties.

There is currently far too much complacency around data security and cybercrime, from business owners, individuals and IT service providers alike. Many IT suppliers claim to have their client’s data security needs at the forefront of their agenda, when in reality, they do not understand the current attack vectors used by cybercriminals, and have no training or experience on how to prevent said attacks. They deliberately evade implementing even the most basic of best IT security practises, and think that installing antivirus software or a bigger firewall is doing the right thing. IT service providers are reluctant to change default configurations and installations, and restrict both their own and the clients access. They reuse passwords across multiple clients, and passwords are all too guessable to the trained hacker.

In reality, even a cheap firewall, properly configured, will prevent direct access. Good antivirus is essential, as well is security patching of operating systems and applications. But more importantly, the biggest advance in protecting a website, network or computer from attack is training of the end user and good practises. As with anything in life, there is no silver bullet for this problem, we all have to take ownership, accountability and responsibility for our actions and the data that we store.

As such, the average cost of a cyber breach will rise in the years to come. Not only will business owners be accountable for the data they store, but they will be fined for not making the best effort to protect that data by the authorities. Then there will be the litigation suits, or as the Americans call it, Class Action Suits, fired up by the long line of compensation chasers, whom are currently looking for another avenue to pursue once the PPI funds run out.

Business Resilience – Why?

Category : Preparedness

My mission is to scare business owners by telling them about all the things that they should be lying awake at night worrying about. Things like, what if the power is cut off? What if the staff are off sick? What if my suppliers let me down? What if someone digs up the telephone cable?

Estimated reading time 4 minutes.

Luckily, because I have been in this line of work for a few decades now, I know how to help those people sleep soundly, without resorting to drugs and alcohol, unless they want to of course.

I spent the past 27 years as a Coastguard Officer dealing with emergencies at sea and on the coast of the UK. My last 15 years were spent in a variety of roles, dealing with planning and responding to emergencies. The last 5 years were as a senior officer responsible for resilience, working primarily with government, devolved administrations and the other emergency services to improve the resilience of the UK to disruptive events.  As part of a re-organisation I found my role as Head of Resilience being relocated to Southampton. I didn’t want to go so I took the package. I tried retiring but it didn’t suit me.

My ‘why’ is that having spent so many years trying to make the country safer and to improve society’s response to emergencies I felt I wanted to continue. I have often seen small and medium sized businesses struggle and even fail because they didn’t have access to advice on how to make their business more resilient. Most businesses don’t need full blown business continuity plans but they would all benefit from advice and that is what I set my company up to offer. Good, pragmatic, inexpensive advice.

One story I often tell that illustrates how my ‘why’ came about revolves around a story many people will be familiar with.

On 1 November 2006 Alexander Valterovich Litvinenko, a former Russian spy who was living in London became ill and died 23 days later from Polonium 210-induced acute radiation syndrome. Remember that?

Now the bit you won’t be familiar with (unless I have told you it already) is that one of the outcomes of this incident was that the authorities set about tracing where the polonium 210 had been. They wanted to isolate any traces of it because it’s obviously dangerous!  They traced its path around London and wherever they found a trace they shut the building down.

John Smith (I’ve forgotten his real name) had his office supplies business in one of those buildings. He had spent 15 years building his business but now he was denied access to the building. By the time he was allowed back in, his business was in ruins.

As you know, the office supplies business is a very efficient supply chain but that efficiency makes it vulnerable to disruption. As a good business owner, you order your printer juice or paper today and you want and expect it to be delivered tomorrow, just in time.  The problem with Smith was that he hadn’t anticipated being denied access to his building and had no way of accessing his computer or his phone. He hadn’t backed-up any data and everything was held in his office so he had no way of letting his customers know of his problems and his customers had no way of placing their orders. The customers wanted their order delivered tomorrow or their business was in trouble. So, they phoned one of Smith’s competitors. They got their office supplies and were satisfied with the service they got and stayed with their new supplier.  John Smith’s business was destroyed in a week.

So, what could Smith have done to avoid his enforced early retirement?  He could have called me when he started out in business and I would have advised him to back-up everything to the cloud so he could access his customer records and still operate. I would have advised him to invest in a VOIP phone so that he could easily divert his calls to any phone or computer he wanted in minutes. There is a load of other things as well but they could all have been put together and detailed in the plan called ‘Polonium Incidents’, ready for just such an event (I assume you all have one)?  His business would have carried on without his customers realising there was a problem and without losing a single sale.

I know it’s simple, though it gets more complex the larger the company but bad things happen to good people if they don’t ever think ‘what if’. My ‘why’ is that I want to help good people avoid the avoidable through planning and preparation. They might also manage to sleep better.





Pandemic Flu. What you need to know.

Category : Preparedness

Pandemic flu can affect your business, especially if you are unprepared.

Bird flu can lead to a pandemic flu in humans.
Bird flu

Bird flu is in the news today.

So what does that have to do with Business Resilience I hear you ask. I don’t run a poultry farm!

I’m glad you asked because you might do something to mitigate the risks to your company if you read on.

We have had H1N1 and H5N. This time it’s H5N8. (They must sit up late into the night dreaming up these catchy names).
Bird flu can mutate and affect humans. This can cause a pandemic potentially affecting millions of people world wide. It’s especially risky when we are entering flu season. Guess when our flu season starts?

What would your company do if there was a pandemic and a large proportion of your staff were off sick over a rolling 3 or 4 month period? We are talking about somewhere in the region 20% being off at any one time. The typical scenario is that someone catches flu, takes a couple of weeks off and comes back.  The nature of a pandemic though is that someone else will go off for another 2 weeks and this cycle may continue for about 3 or 4 months. Then, just when you think it’s all over and its safe to relax, the cycle may repeat itself in about 6 months time.

Then there are the childcare issues for sick kids. Some people may have to nurse sick relatives.  A pandemic will kill people, often fit and otherwise healthy people like those in your workforce, their relatives and friends. What about the staff who decide they are not leaving the house until it’s all over?

There are lots of questions to ask and I know because I have been involved at a national level over the years asking and trying to answer the question of how we keep the country running when a quarter of the folk we need are off sick? That includes care workers, ambulance staff, nurses, doctors, teachers, retail staff, delivery drivers, your whole supply chain as well as your staff! The list goes on but we can do something about it with some forethought and planning.

This is what the UK Government has to say about pandemics.

Influenza pandemics are a natural phenomenon that have occurred from time to time for centuries – including 3 times during the 20th century. They present a real and daunting challenge to the economic and social wellbeing of any country, as well as a serious risk to the health of its population.

There are important differences between ‘ordinary’ seasonal flu and pandemic flu. These differences explain why we regard pandemic flu as such a serious threat.

Pandemic influenza is one of the most severe natural challenges likely to affect the UK, but sensible and proportionate preparation and collective action by the government, essential services, businesses, the media, other public, private and voluntary organisations and communities can help to mitigate its effects’.

‘Pandemic influenza emerges as a result of a new flu virus which is markedly different from recently circulating strains. Few – if any – people will have any immunity to this new virus thus allowing it to spread easily and to cause more serious illness. The conditions that allow a new virus to develop and spread continue to exist, and some features of modern society, such as air travel, could accelerate the rate of spread. Experts therefore agree that there is a high probability of a pandemic occurring, although the timing and impact are impossible to predict. The H1N1(2009) pandemic does not lessen the probability of a further pandemic in the near future, and should not be seen as representative of future pandemics’.

If you want to read the rest of what the Government has to say about pandemics (and it is a lot) you could pop over here and have a look. Alternatively, you could give me a call and we could talk about how you might be able to get through it.

Could you cope with losing around 20% of your staff over a rolling period of 3 or 4 months and then again in 6 months? Do you have a plan?

The precautions advised by the Chief Vet may well prevent this strain of bird flu from developing into a pandemic but it will come, one day. Perhaps now would be a good time to think about how you will continue to provide your goods or services when a lot of your staff, some of whom will be key people are absent from the workplace. It’s going to be difficult to plan when you are desperately busy just trying to keep the business afloat.


Supply Chain Resilience

Category : Preparedness

The resilience of your supply chain is probably critical to the smooth and continued running of your business but the majority of business owners have no idea how resilient their supply chain is, or isn’t!

Do you know what supply chain issues might affect your business?

A recent report by the Business Continuity Institute found that:

  • 60% of disruption is caused by unplanned IT or telecoms outages.
  • 45% by loss of talent or skills.
  • 39% by cyber attack or data breach.

Below is a graphic from the report showing the main risks to supply chains.

BCI Supply Chain Resilience Report main risks
BCI Supply Chain Resilience Report main risks

On reading the list some things may appear not to affect you. Earthquake/Tsunami for example may not appear to be much of a problem in the UK but the 201 tsunami in Japan caused global supply chain problems. Here is an interesting article on that event and how businesses around the world were affected.

So what can you do about it? What business continuity measures can you take to mitigate these risks? Alarmingly, just under a quarter of organisations have no BCM arrangements in place! I would imagine that small to medium sized businesses make up a majority of that figure.

Have you seen the BCP’s of your suppliers?  Perhaps now would be a good time to ask them what they are going to do to ensure their Business Continuity. If they don’t have a plan you are probably going to have a problem that will affect your business, your customers and your reputation.

Here is a full copy of the report should you wish to know more.

BCI Supply Chain Resilience Report 2016
BCI Supply Chain Resilience Report 2016


Business Resilience 10 Minute Plan

Category : Preparedness

Scottish Business in the Community have developed a business resilience 10 minute plan that was launched yesterday.

business resilience 10 minute plan
business resilience 10 minute plan

Taking 10 minutes to work your way through it is a really good use of 10 minutes that might otherwise just be squandered socialising or with friends and family. 😉

To save you the trouble of looking for it yourself (that would take 2 extra minutes) I have downloaded it for you.

Just click and off you go!