


According to Jim Lukaszewski, "The most volatile component of all crisis response is victim management. Failure to promptly, humanely, and empathetically see that victims' needs are also met will eclipse an organization's response. Even a flawless response will be remembered for its angry survivors, relatives, public officials, sometimes competitors, but almost always the critics.

Welcome To #BCAW2019
"Investing in Resilience"
Welcome to BCAW 2019! This week is full of activities and plenty of opportunities to raise awareness of resilience within your organization. Keep reading to find…

FEMA has released a new guide to supply chain resilience aimed at helping emergency managers. The guide provides recommendations and best practices on how to analyze local supply chains. In addition to this, it also allows them to work with the private sector to enhance supply chain resilience using a five-phased approach.

Business Continuity Awareness Week (BCAW) is an annual global event that is facilitated by the BCI and is a key vehicle to raising the awareness of the profession and demonstrating…

This is the first of a three-part series on human concerns in disaster recovery, by Vali Hawkins-Mitchell:
(Part 1) What: What are Human Concerns
(Part 2) So What: The Risks
(Part 3) Now What: The Applications

Security and Business Leaders: A Communications Gap
When I find myself talking to a group of security professionals, eventually the topic will turn to whatever security breach was in the news that morning, and how easily it could happen to us. From there we might discuss how people outside the security profession do not see these obvious risks in the same way that we do. Then we will ask each other how we can convince our executives to give us the proper resources to protect our organizations from the threats that we see so clearly every day. How can they expect me to protect the company if they cut my budget? Why don’t they think about security before the incident happens? How do I get “a seat at the table”? Why does procurement have more say about my program than I do? Why won’t they do what I know they need to do to protect the (insert important thing here)? These questions, although natural to people who are driven to protect and defend what we are responsible for, are, in fact, not the questions that are going to get our security programs where they need to be. Why not? Because we are not speaking the language that our audiences understand.Bridging The Gap: Whose Job Is It?
We tend to believe that it is the business’s responsibility to understand the importance of security. Therefore we don't recognize the need to invest in security. But in the world of business, that’s just not the case. Business leaders have operations to run and missions to fulfill, and as security leaders we need to understand that it’s up to us to bridge the gap between the security way of thinking and the business way of thinking. Just as we would learn the language if we setting up a security shop in a foreign country, we need to ensure that we are speaking the language that business executives understand. This is critically important when we are discussing the needs we have for the the enterprise security program. It’s not a large gap to bridge. But you have to recognize that gap if you intend to cross it.Building the Bridge: A How-To Guide
There are a few relatively simple things to keep in mind as you begin the process of bridging the communications gap that seems to exist in many organizations between the security team and business leaders.Engage as a partner to understand what the business needs
You cannot build a bridge if you do not know what is on the other side of it. The most critical piece of the equation when engaging business executives in a discussion about the importance of security is understanding how they look at the world and what is most critical to them. In most cases, the easiest way to find out what is important to people is to just sit down and have a conversation Simple questions like:- What are your responsible for?
- What does your group do?
- Is there anything you are particularly worried about?
- What are the critical needs for your group that if something happened to them you would not be able to do your work?
Treat security risk the same as any other business risk
Framing your discussion of the security issues and risk will help build your relationship on a common platform. Business leaders are used to having critical discussions about risk. They deal with risk every day in all areas of the business. Financial risk, operational risk, resource risk, regulatory risk… These are all topics that your executives think about every day. If you are going to talk to them about security, frame your discussion in the language they understand… risk. The risk-based conversation looks a little different than the old-style security conversation. In a risk-based approach:Security conversations are based on:
- Quantified risk measures
- Identified risk tolerance thresholds
- Resource owner agreement
- Measurable evidence
Security decisions are NOT based on:
- A “gut feel”
- “What everyone else does”
- “Fear, Uncertainty, and Doubt”
- A “best practice”
- Anecdotal evidence
Measure and Report Your Results
However, it’s not enough to simply have a risk-based conversation. Once you are engaged in a risk-management approach, you must continue to engage in the business process, just as any other business function would. That will require ongoing reporting of the effectiveness of your program in quantifiable ways. Identify metrics that show trends in risk, not just tasks completed or hours of work accomplished. You must tie meaningful data to your security activities if you want to measure the impact of a mitigation on a security risk. A few examples of risk-management metrics:- A reduction in the number of vehicle breaks-ins in a parking lot after an increase in patrols
- An increase in reported security concerns following a campaign of security awareness for employees
- An increase in the number of visitors to a facility processed per hour when implementing a visitor management system
- A decrease in the time to deploy credentials to new employees in response to a streamlined procedure.
About the Author: Rachelle Loyear
Rachelle Loyear is the VP of Integrated Security Solutions for G4S Americas. In this role, she leads the G4S Security Risk Management and Integrated Practices management office. Her main task is to help G4S customers take advantage of the powerful risk management business approach. She wants these customers to integrate the approach as part of their holistic security programs. Rachelle has spent over a decade managing programs in corporate security organizations. Focusing strongly on security risk management, she has been responsible for ensuring enterprise resilience in the face of many different types of risks, both physical and cyber. Rachelle is PMP, CISM, and MBCP certified, is active in multiple security industry groups, and volunteers as the program manager of the Enterprise Security Risk Management program management office at ASIS, International. Additionally, she is the author/co-author of three books in the security risk management subject area: Enterprise Security Risk Management: Concepts and Applications; The Manager’s Guide to Enterprise Security Risk Management: Essentials of Risk-Based Security; and The Manager’s Guide to Simple, Strategic, Service-Oriented Business Continuity.
According to Jim Lukaszewski, in a crisis, effective decisions and actions must precede communication. The reality is that once the instant of crisis has occurred, the process of recovery has begun. Recovery can be quite complicated and lengthy. The operational response goal is to put the focus truly on the first 1-3 hours of a crisis. This will then assure that tone, tempo, scope, and intent are established powerfully and constructively. Emergency communication response priorities must also address appropriate operational action. In addition to this, it must match the expectations of all potential audiences who could be affected or afflicted by your actions or by the crisis situation.

FREE emergency evacuation plan outline for you and your business needs
It is one of the many templates, tools and resources included with the book Emergency Evacuation Planning for Your…

Adaptive Business Continuity is a flexible in comparison to traditional continuity planning. Its focus is the continuous improvement of an organization’s capabilities to recover from disruption and disaster. In addition…