Practical, Cost Effective and award-winning

Business Continuity, Crisis Management & Information Security Solutions

Phone:

0800 035 1231 (Mon to Fri 9am – 5pm)

36B Market Street, New Mills

Derbyshire, SK22 4AA, United Kingdom

Blazing buildingsThere is widespread coverage of a large fire that has broken out at a research building attached to The Christie.  The fire started at around 10.35, being brought under control shortly before 1500hrs, although still not extinguished.

The nature of this incident would test even the most developed and well-rehearsed business continuity plan, from both a business recovery and crisis management perspective.  The following gives just a couple of considerations:

Communications

This fire highlights the factual inaccuracies that will surround an incident of this nature.  As an example, the Manchester Evening News was reporting at 11.05 that the hospital had been evacuated.  This is not the case, and the hospital has not required evacuation; it is known that the building itself does not house patients, but it is adjoining the hospital.  Some patients have been moved and some treatments have been postponed, and the hospital has released details for patients that are trying to make contact.

The nature of medical research results in a complex relationship between different organisations; in this case, the Manchester Cancer Research Centre was formed between the University of Manchester, Cancer research UK and the Christie NHS Foundation Trust.  It is now the cancer research part of the Manchester Academic Health Science Centre (MAHSC), which is a strategic partnership between the University and six NHS Trusts across Greater Manchester.  There are also a significant number of stakeholders with, for example, a wide-range of funding bodies.  Each of these different organisations will have their own communications needs and priorities, and a coordinated crisis management approach will have to ensure that the different strategic aims and cultural values is taken into account.  More importantly, it is critical that these organisations work together to align behind a single communications message, avoiding contradictions.

Internal communications should also be a priority.  it was interesting to note that one student stated that ‘”I left because I couldn’t bear the smell and it was making me really dizzy, but then I was told there was a fire and we had to leave”, raising a question about methods used to communicate with staff.

Business Continuity and Recovery

At 11.30, clinical and admin staff were reported as having been evacuated and standing on the pavement 50 yards or so away.  It would be interesting to know what the business continuity recovery time objectives (RTO)  are, and whether staff would shortly be directed to work from alternate premises or to go home.  Would alternate arrangements be considered in the case of inclement weather?

In terms of business recovery, it could be difficult to quantify the longer-term effects that this incident could have on research, particularly if samples have been lost.  One student, Nerette Navarro, was quoted as saying, “Either everything is burnt, smoke damaged or water damaged, so everything is lost”.  It is also worth noting that research is particularly difficult to quantify through a standard Business Impact Analysis (BIA) process, particularly for longer term studies.

Welfare

There will be welfare concerns that need to addressed.  This will apply to patients and their families, who are already under a degree of stress and to staff.  Additionally, there are students who are working to deadlines and have funding restraints will need reassurance.

Lessons Identified

It would be interesting to note if the MAHSC and The Christie were able to share any of the lessons learned from the fire at the Royal Marsden Hospital or other similar incidents at research, university or hospital sites.  Equally, will MAHSC and The Christie share their lessons from this incident?

 

Contact Cambridge Risk Solutions to find how we can help you with business continuity and crisis management planning,  Call us on 0800 035 1231

Written by Helen Molyneux

The message below describes an exciting research opportunity at Sheffield University: please pass on to anybody who may be interested.

“We are seeking applications for an ESRC PhD studentship, entitled ‘Social media and community resilience: a process based study of South Yorkshire Fire and Rescue Services’. Funded by a White Rose Doctoral Training Partnership Collaborative award, the successful applicant will work with SYFR to evaluate how sites such as Facebook and Twitter can be used to promote community disaster resilience and encourage citizens to fully participate in disaster risk management and reduction initiatives. SYFR are also providing the successful candidate an internship with the organisation as part of the studentship.

“Further details on the studentship can be found here and the closing date for applications is 8 May 2017.”

Speaking last week at the Institute of Directors; Minister for Digital and Culture, Matt Hancock, announced a new push on the Cyber Essentials programme to encourage all UK businesses to adopt the scheme.  Measure announced include:

  • Updating the Cyber Essentials requirements, to make the scheme easier to use;
  • A marketing campaign to raise awareness and drive adoption of the scheme.
  • Strengthening the requirement for Government contractors to take up the scheme; and
  • Firms including Barclays, BT, Vodafone, Astra Zeneca and Airbus have agreed to encourage adoption amongst their suppliers.

The Minister also announced that the number of Cyber Essentials certificates awarded had more than tripled in the past year, with the total now exceeding 6000; and that the Government will be publishing the figures on take-up each month from now on.

Go to the Information Security section of our website for more information on how to improve your cyber security.

 

Two weeks ago the ICO announced that it had fined a senior barrister £1000 for failing to keep clients’ sensitive personal information secure.  The ICO explained that the barrister had kept sensitive information on 250 clients on a home computer without using any encryption.  Then, during an update of software on the computer, files were automatically backed up on-line, where they were temporarily visible to search engines.  There are clear lessons here for other small businesses, but it would appear that large organisations also have issues.  A few days later the ICO announced that it had fined Norfolk County Council £60 000 for leaving social work case files in a cabinet that they disposed of – the files were discovered by a member of the public who bought the cabinet in a second-hand shop!  Once again, this example highlights that information security is not just about electronic data.

Ann Summers Product Recall

Whilst a very useful resource, the Electrical Safety First website is not normally that entertaining.  Typically there is a list of battery chargers that pose a fire risk and similar items, but today is different as a recall has just been announced of Anne Summers “Black Power Wands”.  Not only that but the reason for the recall is described as “Risk of electric shock.  Prolonged use may result in the wires in the cord at the base of the product becoming exposed.”  So please do spread the word to friends and family.  We may never see data from this particular recall, but typical success rates for electrical goods are only 10-20% so there could be quite a few faulty “Power Wands” out there for some time to come.

The Coop began recalling 3000 chocolate Easter bunnies earlier this week, after a battery was found in one.  This in itself is not remarkable, we have blogged before about the rising number of food product recalls; but what makes this story remarkable is that only six weeks ago the Coop had to recall tens of thousands of chocolate Santas for the same reason.  Product tampering, as opposed to contamination during the manufacturing process, is suspected in both cases.  Beyond that, details are scarce, although it was stated after the December incident that there had been no blackmail or ransom demand.  Maybe all we can say at this stage is that lightning really can strike twice.

On a positive note, the Coop appears to have implemented both recalls effectively, and in a timely fashion; although it is quite difficult to find the details of the recall on the Coop website.

It was announced last week that the Information Commissioner’s Office (ICO) had fined the insurance company Royal Sun Alliance £150 000 for the loss of a hard drive containing names, addresses and bank account details of 60 000 customers.  The device was stolen from RSA’s offices in West Sussex but it is not known whether the theft was carried out by a member of staff or not, and it has never been recovered.

A statement from the ICO said:

“When we looked at this case we discovered an organisation that simply didn’t take adequate precautions to protect customer information.  Its failure to do so has caused anxiety for its customers not to mention potential fraud issues….There are simple steps companies should take when using this type of equipment including using encryption, making sure the device is secure and routine monitoring of equipment.  RSA did not do any of this and that’s why we’ve issued this fine.”

Once again, this incident emphasises that having appropriate policies and procedures in place, and understood by staff, if a critical part of information security management.  For more information on information security and ISO 27001, go to our “What is Information Security” page.

The severe disruption to London Ambulance Service’s IT systems on New Year’s Eve has been widely reported in the media, although little is known at this stage about the root cause.  Hopefully, in due course, any useful lessons identified will be shared throughout the NHS to minimise the chance of a recurrence.  In the mean time I was struck by two thoughts…

Firstly, and as I have probably remarked previously in this blog; it is a reminder that very unlikely combinations of events do happen from time to time.  Much of the reporting of the incident focused on people’s incredulity that such an outage could occur on the busiest night of the year; indeed if I presented an NHS client with something similar as an exercise scenario I suspect I would receive much negative feedback about the credibility of the scenario.  Nevertheless it happened.

The second thought arose from the assumption that having a disruption at a busy time is, by definition, the worst case scenario.  I know nothing about the workings of LAS but it seems at least plausible that they were actually better able to manage the disruption because they had increased staffing to cope with the expected demand and had already deployed large numbers of staff on the ground in treatment centres.  I don’t wish to labour the point, but it just occurred to me that there are important implications for planning for ‘reasonable worst cases’: the most difficult disruption to manage may actually be one that occurs at a quiet time when resources are very limited?

October was a busy period for food product issues with eight recalls over the course of the month, as against a long-term average of about 35 per year (although it did hit 56 last year).  The products affected were:

  • Patchwork Pate – fifteen varieties of pâté
  • Milegate Ltd – Mystry Dried Pangash fish
  • Kopparberg – sparkling rose strawberry and sparkling rose raspberry cider
  • HiPP – Organic Fruity O’s breakfast cereal
  • Hilltop Honey – raw British creamed honey
  • Suma – canned organic sweetcorn
  • Biona – canned organic sweetcorn
  • A G Barr – Rubicon sparkling mango

The recalls were made for a wide variety of reasons including: chemical contamination, lack of manufacturing controls, metal contamination and yeast fermentation! Regardless of the specific trigger event, each of these incidents presents a significant risk of financial and reputational damage if not handled appropriately.  As well as the normal guidance on business continuity and crisis communications; the British Retail Consortium (www.brc.org.uk) includes a specific requirement to plan for product recalls and withdrawals in its certification scheme.