Castellan brings every aspect of resilience management – from readiness to response – together in one place, so you can stop hoping and start knowing.
Now you’re ready.TM
And that’s a wrap. Castellan recently finished up season two of its podcast, Business, Interrupted.”
In the season two finale, hosts Cheyene Marling and Brian Zawada reflected on some of their favorite moments.
“There were so many incredible guests. So many great takeaways and moments,” Marling said.
One of the big themes throughout the season, Zawada pointed out, was the shifting focus on cyber risk and cybersecurity across industries, and the many challenges organizations face from a supply chain and dynamic risk perspective.
Cyber resilience was a key point of conversation in episode seven with Jim Kastle, chief information security officer of Kimberly-Clark. He shared his thoughts about how the approach to cyber response has changed over the years.
“What’s different is the fact that cyber-attacks move so rapidly that you don’t have time to think,” Kastle shared. “It’s got to be muscle memory, and you’ve got to have the right incident response plan. You’ve got to have automation that quarantines automatically. It’s better to quarantine first and then figure out if you over-quarantined and back off from there.”
“Cybersecurity has really amped up,” Boltz said. “We have always been concerned about it, but with the pandemic happening we certainly, like everyone else, [saw] kind of a surge of attempts of fraud and cybersecurity. So that part of our business has really become a big part of how we think about resilience and risk management.”
“We are thinking about the world having much more risk than we ever saw before,” she added. “And so that not only means controlling it, but how do you keep flexibility in it? And how do you accept that as a way of doing business going forward?”
In addition to conversations about changes for resilience management post-pandemic, Michael Bratton, director of consulting at Castellan, talked about how, with organizations facing a growing number of disruptions, there’s a real understanding now that worst-case scenarios are reality.
He talked about approaches for managing those severe, yet plausible scenarios in episode five, especially in terms of soft skills, for example, how we work with our employees during and after a crisis and support them after the initial shock of an event passes.
“How do we get in touch with people, track them, not necessarily monitor them, but make sure they’re OK?” Bratton asked. “How do we deal with the lingering effects? What sort of redundant means do we have to be able to do outreach and help people and help them get through these tough times?”
“I think it’s important to maintain empathy and compassion for your people because even during the worst of the worst circumstances, we get into this tactical mindset,” he explained. “And it almost becomes transactional. What are the list of things we need to accomplish between 8 a.m. and 8 p.m.? But at the end of the day, our people are the ones that are responsible to accomplish those tasks.”
As such, recovery after-crisis was also talked about frequently during season two.
Drawing on pandemic response lessons-learned, Andrew Velasquez, first deputy aviation commissioner for the Chicago Department of Aviation, chatted about crisis planning and preparation during episode eight, with a focus on how to look forward even in the midst of a crisis.
“We had to instill confidence in the traveling public and so we did that through the strategic plans,” he recalled. “We did that through all of our mitigation efforts. We did that through all of our regular stakeholder calls. And then concurrent to all of that, we started developing our recovery reconstitution plan because we knew that there is significant overlap between response and reconstitution. So we needed to make sure that as we were working the response, we were already thinking about how we were going to bring things back to full operations, so to speak.”
And how do organizations do that? One way is to draw on some of the resilience management best practices and leading principles shared throughout season two.
Mark Armour, co-author of the book, “Adaptive Business Continuity: A New Approach,” discussed different resilience management styles during the season’s first episode.
“Just because we can prevent an event doesn’t mean we can always predict and anticipate the consequences of that event,” he said. “We can set ourselves up for failure if we think we can predict consequences.”
Looking back on pandemic planning in 2019 before the full brunt of the outbreak, Armor said there were things that weren’t anticipated that happened in real-life.
“What we didn’t anticipate was, well, what am I going to do if most of my customers go away because we’re in entertainment or the travel industry? What are we going to do if we suddenly see a huge loss of staff because now people don’t want to come into the workplace and perhaps we are mandating that? So, there is a whole host of other things around which we might have to make decisions on the fly, and if we try too hard to predict what we may experience, and if we prepare for that, then sometimes we are going to be caught off guard and maybe find ourselves less prepared than we’d like to be.”
This is why adaptive and scalable resilience management programs are important.
“I quickly realized that traditional BC/DR is not super scalable,” he said. “The way people run these programs, you have a central group. They have a schedule—January through December. And you approach different departments and you make sure they have their plans and their exercises. You do that all year, and then come January, you start over.”
That’s just not scalable at all, Baldwin explained.
“If you cannot do the whole enterprise in that 12 months, you have to hire more people. And additionally, if anything happens, an actual incident or some kind of unexpected event occurs, it puts you off. And you are always behind and you’re always trying to catch up. I’ve yet to work a year where something hasn’t happened. It’s just a very difficult program to be successful with.”
Defining that program success was also a common theme throughout the season.
“It starts in risk intelligence,” she said. “We always talk about speed, relevance and usability.
So, whenever you’re looking at risk, you’re trying to see how fast you can get the information, but making sure it’s relevant and it’s not just this massive flow of useless information of which the one key piece gets lost inside of that. The key of relevance is back to your, so what? If something is going to happen, what is the impact it’s going to have on me, and downstream what do I need to do? And usability of that information, to be able to take it and apply it into the resilience program you’ve built.”
Moving toward that success often starts with how you set up your program. Often, resilience management professionals say they struggle to get things started because they’re too often lost in the details.
“From the day you get hired, you’ve got a few weeks of getting to know the organization. You might start building out your toolsets and identifying where you’re going to do your BIA,” he said. “You build your BIA tool. You eventually get all the business done of BIAs, and depending on how big your organization [is], that could be months or weeks. Some organizations take like a year to just run through and do every single work unit—and that’s even before you actually build the plans. So that runway is so long that by the time you produce some tangible result, it’s so far past when you started. That was one of my biggest takeaways. You’ve got to win fast.”
That’s just some of the highlights from the season two recap. If you’d like to hear more, check out episode 10, “Expecting the Unexpected.”
Want to hear more of “Interrupted?” It’s available on the Castellan website or wherever you listen to your favorite podcasts
Now you’re ready.TM
Get resilience insights delivered to your inbox.