Practical, Cost Effective and award-winning

Business Continuity, Crisis Management & Information Security Solutions

Phone:

0800 035 1231 (Mon to Fri 9am – 5pm)

Suite 3, The Cotton Mill, Torr Vale Mills, New Mills, Derbyshire, SK22 4HS, UK

I was delighted to see an article on the BBC website today repeating much of what we said in a blog post back in January!  When we blogged the number of confirmed cases of Coronavirus globally was doubling roughly every two days; but now the BBC reports that confirmed cases in the UK are only doubling every 3-4 days.  In the current situation we have to be thankful for any good news.

This is also a reminder that our understanding of the pandemic is still changing from day to day as more data emerges – a theme that we first blogged about in January too.  This theme was reinforced again in the news today with reports of a new piece of research that predicted there could be as few as 7000 Coronavirus deaths in the UK.

It is therefore probably timely to update another one of our blog pieces, this time from March 12th, in which we mentioned the progress of the disease in Italy.  Fitting a logistic curve to the data up to that point (at which time Italy had reported about 12 500 cases) suggested that the total number of confirmed cases in Italy would ultimately reach about 40 000 but, sadly, that has not proven to be the case.  Re-fitting the curve two weeks later suggests a much more prolonged and severe wave of infections.

Meanwhile, fitting to data in the UK a week ago suggested a final total of around 50 000 confirmed cases for this pandemic wave.

Once again, this picture changes daily as new information emerges: to reiterate, the predicted total for Italy trebled over the course of two weeks.  However,as can be seen from the graph, so far progress of the disease is actually below the fitted curve.  We’ll keep you posted.

Two reports have now been completed into the cause of the failure of the slipway at Toddbrook Reservoir in Whaley Bridge on 1st August 2019:

  • The “Toddbrook Reservoir Independent Review Report” by Professor David Balmforth, commissioned by DEFRA; and
  • Report on the Nature and Root Cause of the Toddbrook Reservoir Auxiliary Spillway Failure on 1st August 2019” by Dr Andy Hughes, commissioned by the Canal & River Trust (CRT).

Both reports are publicly available on-line.  Whilst I don’t pretend to understand the technical details, both authors are quite clear that there were multiple serious defects in the original design of the spillway.  This enabled water to flow under the slabs forming the spillway, eroding the fill beneath them and, ultimately, displacing the slabs themselves.

Interestingly though, the authors differ in the significance of the contribution of widely-reported maintenance issues at the dam: Balmforth views this as another primary cause of the failure, whereas Hughes sees it as a very much a secondary consideration.  Balmforth also mentions a third contributing factor, the failure of the CRT to lower the water level when the severe weather warning was first issued; but is unable to judge if this could have prevented the outcome on the day.

Whilst Balmforth and Hughes are concerned with specific issues of dam design, the general pattern of multiple “latent incubating defects” in a system is very familiar from studies of previous disasters from Aberfan to the Challenger Space Shuttle.  As in these previous incidents, various people in various different organisations (and indeed members of the public in Whaley Bridge) were aware that there were issues with the dam, but nobody was able to put the pieces together: what Barry Turner called a “Failure of Foresight”.  Turner went on to identify four common features in such failures, two of which are specifically highlighted again in the reports into Toddbrook Reservoir:

  • Division of responsibilities – both organisationally between CRT and DEFRA, and individually between Supervising Engineers and Inspecting Engineers; and
  • Poor intra/inter organisational communications – in particular people not having access to drawings and other documents that they needed, and the failure of the most recent Inspecting Engineer’s report to prompt urgent remedial action on the slipway.

Reflecting on the incident at Toddbrook Reservoir, if we can identify and address these sorts of problems in our own organisations then we are one step closer to preventing a disaster closer to home.

It’s exactly six weeks since we first blogged about the spread of coronavirus – at that point we warned that the next few weeks were likely to be characterised by considerable uncertainty.  Much has happened since then, just in the last few days we have seen:

  • The formal declaration of a pandemic;
  • A lock-down in Italy;
  • Cancelling of flights from Europe to the US; and
  • Closure of schools in Ireland

However, we still know comparatively little about the threat that we are dealing with.

There is now reasonable agreement about some of the critical epidemiological details, such as:

  • The reproduction number, R0, lies between 2 and 3; and
  • The incubation period is around 5 days.

But still we are unable to answer critical questions like “How quickly will it spread?”, “Where will it hit next?”, “How bad will it get?” and “What can we do to limit spread of the disease?”  Absent clarity on these points it is perhaps not surprising that we see different governments reacting in completely different ways.  Interestingly, research published in the Journal of Clinical Medicine in early February predicted the likelihood of an outbreak in Italy as lower than that in the USA, Canada, the UK or Germany: so why has it happened?

Whilst we may not (yet) understand the cause of the outbreak in Italy, it may still be a useful case study of the effects of a coronavirus outbreak in a country like the UK.  The graph below shows confirmed cases up to today and a simple logistic curve predicting the progress of the disease up to the end of the month.

The chilling observation is that we in the UK are now at the point, in terms of both confirmed cases and deaths, that Italy was at about two weeks ago; but it just seems impossible to predict with any accuracy whether we will now follow a similar trajectory or not.  All the same there must already be lessons being learned at government, industry and firm-level that we can usefully apply in this country: it is vital that we seize this opportunity in the limited time available.

 

 

 

 

 

Understandably we are all focused on the growing threat of coronavirus; but that doesn’t mean that other risks have gone away.  In particular this week we saw announcements of high-profile data breaches at Network Rail and Virgin Media.

On Monday it emerged that the email addresses and travel details of about 10,000 people who used free wifi at UK railway stations had been exposed online.  The database, found on Amazon Web Services by a security researcher, included personal contact details and dates of birth.  Then on Thursday it was announced that a database containing details of 900 000 Virgin Media customers and potential customers had been accessible on-line for ten months.  Once again this contained phone numbers, home and email addresses.  It is believed that neither database contained any passwords or financial details.

Whilst the underlying cause of the incidents appears very similar, failure to properly secure information stored in the cloud; the responses have been quite different.  Virgin Media promptly acknowledged that the information was accessed “on at least one occasion”; apologised to customers; and informed the Information Commissioner’s Office (ICO).  By contrast the wifi provider to Network Rail, C3UK, stated on Monday that “To the best of our knowledge, this database was only accessed by ourselves and the security firm and no information was made publicly available;” and, based on this, they had chosen not to inform the ICO.

It is not clear if C3UK’s approach has provided much reassurance to passengers who may have been affected.  It would appear though that their customers, Network Rail and train operating companies, are not overly impressed.  Network Rail have stated that they have contacted the ICO themselves and had “strongly suggested” to C3UK that it considered reporting the vulnerability; and Greater Anglia said it no longer used C3UK to provide its station wifi.

Understandably, media attention in the UK is focused on the growing threat of Coronavirus and the two recent severe weather events. However, as well as these ongoing high-profile stories; there has also been a recent spate of food product recalls.

We have been tracking the number of food product recalls on the FSA website for some years now and the figures are pretty low and fairly steady (the figures for electrical product recalls, also shown, actually appear to be falling):

However, despite this, there have been five food product recalls in the last week alone:

  • Lidl – Lupilu baby food
  • Waitrose – Duchy organic almonds
  • Nestle – Ski yogurt
  • Iceland – Vegetable lasagne
  • Coop – Gro sticky toffee pudding

For more details of these recalls go to the FSA website.

How surprised should we be by this: is something amiss? If the true underlying incidence of recalls is about 50 per year (or one a week); we would expect to see a week with 5 or more recalls about once every 5 years; so it does seem a little strange.

We don’t want to spread alarm though – this is almost certainly just a random blip. It is important to bear in mind that if you look hard enough you will find some unusual events out there! Nonetheless, if you’re in the manufacturing sector, it might not be a bad idea to give your recall plans a quick refresh.

I read and enjoyed Sabrina Cohen-Hatton’s “The Heat of the Moment: A Firefighter’s Stories of Life and Death Decisions” last year but neglected to blog about it at the time.  It was only when listening recently to media coverage of the London Fire Brigade’s (LFB) response to the Grenfell Tower fire that I was reminded of this oversight.

The book is a very interesting read on two levels.  I approached it from a technical perspective – wanting to see if any lessons from the emergency services could be usefully applied in training business leaders to tackle corporate crises – but my lasting impression was of a truly inspiring story of the author’s triumph over adversity.  I finished the book feeling like a serious under-achiever!  That said, I will focus here on the technical content.

The central theme of the book, the tension between intuitive and analytical decision making in a crisis situation, is very well explained; and illustrated with many memorable case studies.  The key output from the author’s study of decision-making by firefighters is a simple practical tool, consisting of three confirmatory questions to ask in the brief moment between making a decision and actioning it:

  • Goal – what do I want this decision to achieve?
  • Expectations – what do I expect to happen as a result?
  • Risks versus benefits – how do the benefits outweigh the risks?

Whilst the author takes the perspective of an individual Fire Commander, one could easily substitute “we” for “I” and apply the same questions in a corporate Crisis Management Team.

Despite my overall positive impression of the book, I have a couple of issues.  My first observation relates to the author’s repeated assertions that nobody had really investigated decision-making by firefighters before her.  This immediately struck me as odd as I knew that both Gary Klein in the US and (my former colleague) Katherine Devitt in the UK have published on this very topic; Rhona Flin’s work on crisis decision-making in other high-risk industries is also very relevant.  It in no way diminishes the author’s contribution to our understanding to acknowledge the important work that has gone before, so the omission is curious.

My other note of caution is around the author’s focus on the most challenging decisions, or “wicked problems”; which could create the impression that tragedies generally arise from a failure by an individual or team to deal with such extreme mental challenges.  However, the reality is that the shortcomings in LFB’s response, highlighted in Phase One of the Grenfell Inquiry, concerned much more straightforward decisions.  This is even more so in the world of corporate crisis management in which I operate: root cause analysis of problems identified in real incidents almost inevitably throws the spotlight on failures in fairly simple decisions, such as “Should we invoke the Crisis Management Team at this point?”  Despite this, many corporate teams will only engage with an exercise scenario if it is sufficiently extreme, challenging, sexy (and unrealistic).  I would always encourage people to thoroughly master the simple stuff before trying to tackle “wicked problems”.

In conclusion then, I would highly recommend this book, if only for the superb case-study (in Chapter 10) of a senior commander trying to re-write history during a post-incident debrief in order to justify the decisions he made on the day: a powerful illustration of why log-keeping is so important during an incident.  Enjoy!

Coronavirus Reaches the UK

Hot on the heels of the World Health Organisation’s declaration of a Global Health Emergency, today marked another watershed with the announcement of two confirmed case of Coronavirus in the UK.  Obviously it is too early to know how the disease may spread within the UK but a look at the Global figures from the World Health Organisation (WHO) makes chilling reading.

This shows the characteristic exponential rise in cases at the start of an outbreak of disease, with the number of confirmed cases doubling every two days.  The exponential character of the spread is more obvious in a logarithmic plot which shows a pretty good straight line:

If this pattern were to be repeated in the UK, we could expect 2000 cases within the next 2 weeks and 20 000 a week later!

Whilst the prime responsibility for slowing the spread of the disease and caring for those affected rests with the UK Government; organisations in every sector need to be thinking carefully about how they can minimise disruption to operations throughout the pandemic.  This includes, amongst other things, contingency planning for: excess absence of staff, supply chain issues and disruption to communications and transport infrastructure.  We provide some general advice on Planning for Health Emergencies in the Downloads section of the website.

Clearly the news from China over the last few days of the emergence and spread of Coronavirus has been very worrying.  The news today that patients in Scotland are being tested for Coronavirus make the threat all the more stark.  Reliable data on infection rates, and severity of the disease is impossible to come by at this early stage.  We therefore thought it might be instructive to look back at how the swine ‘flu pandemic played out in 2009 and draw lessons from that.

The swine ‘flu story broke in the UK in late April 2009 with the news of a serious outbreak of disease in Mexico and confirmation from the World Health Organisation (WHO) that this was a new strain of ‘flu.  By 1st May swine ‘flu was confirmed to have reached 12 countries in 3 different continents and the first death was reported outside of Mexico.  The WHO upped the alert state to Level 5, suggesting that a Pandemic is imminent.

In early June the WHO declared a global flu pandemic, due to the rapid increase in cases in the UK, Australia, Japan and Chile.  At this stage there were estimated to be 30 000 cases worldwide, with around 800 cases in the UK.  Perhaps most worringly, the number of cases in the UK was doubling each week; and continued to do so into July.

Up until now we had still been working on planning assumptions prepared in 2007 in expectation of avian ‘flu.  Then, on the 16th of July, the UK Department of Health issued new planning assumptions, based on analysis and modelling of the most up to date data from the UK and abroad. The news was generally positive: in particular the estimated case-fatality rate was revised down to 0.1-0.35%.  However, the model still predicted that roughly 30% of the population will become ill at some stage.

As we now know, the pandemic did not pan out like that: the “first wave” of infections was peaking just as the guidance was issued, and the much-feared “second wave” was somewhat less intense.  The estimated total number of cases in England by the end of 2009 was between 500 000 and 1.5 million.  So the striking lesson from 2009 is that, even as more data on Coronavirus becomes available in the next few weeks, any epidemiological projections need to be treated with caution.

Even in the absence of accurate predictions about the progress of the disease, we can still apply some sound general principles to planning for potential business disruption; these include:

  • Identify any staffing bottlenecks and address as appropriate (eg by documenting procedures, cross-training staff and succession planning);
  • Be realistic about your capacity for homeworking: how will this limited capacity be prioritised?
  • Be prepared for schools and other public services shutting down to prevent the spread of disease; and
  • Review vulnerabilities in the supply chain and discuss contingencies with key suppliers.

Even if the current threat fails to materialise in the UK; time spent now on updating, testing and exercising contingency plans will not be wasted.  Follow the link to download a useful checklist for planning for public health emergencies.

 

GDPR Fines Starting to Bite

A report published recently by DLA Piper looks at the impact of GDPR, 18 months on from coming into force across the EU.  So far 160 000 breaches have been reported, including:

  • 40 000 in the Netherlands;
  • 37 000 in Germany; and
  • 22 000 in the UK.

The report states that the fines imposed to date total about £100m, with the largest penalty so far being the €50m fine imposed on Google by the French authorities.  However, the UK Information Commissioner’s Office has already announced its intention to fine BA £183m and Marriott Hotels £99m; so these figures are clearly going to rise in years to come.  Moreover fines may only be a small fraction of the total costs to the company of a data breach: the IBM/Ponemon Institute 2018 Cost of Data Breach Survey found that the largest component of the average $3.86m cost of a data breach was lost business ($1.45m).

Meanwhile Doorstep Dispensariee Ltd, a London pharmacy, became the first UK company to be issued with a fine under the General Data Protection Regulation rules in December.  The company was fined £275 000 for its “cavalier attitude to data protection” in regard to the disposal of records about vulnerable care home residents.  According to reports, approximately 500 000 documents which included patient names, dates of birth, NHS numbers, medical information and prescriptions were left at back of premises.

Visit the Information Security section of our website to see how we can help you to meet your obligations under GDPR.

There is a strong sense of “situation no change” as the 2020s began with three high-profile IT problems in the UK Financial Services Sector.

Firstly, the on-line banking services and mobile apps for Lloyds, Halifax and Bank of Scotland (all part of the Lloyds Banking Group) were all disrupted on New Year’s Day.  The disruption is believed to have begun around 0400 and was resolved by midday.

Then, on the 2nd of January, Travelex announced that it had taken down its UK website following the discovery of a “software virus” infection on New Year’s Eve.  This then had a knock-on effect on a number of major banks who are reliant on Travelex, including Tesco Bank, HSBC and Virgin Money.  Once again, this incident, highlights the importance of managing continuity in your supply chain.  At the time of writing (6th Jan) the Travelex UK website still has the message “Our online, foreign currency purchasing service is temporarily unavailable due to planned maintenance. The system will be back online shortly.”

Meanwhile on the 3rd of January, stories began circulating about problems at Yorkshire and Clydesdale Banks (both part of the same group).  It emerged that payments, including salaries, that people had been expecting had not appeared in their accounts.  The company was reasonably prompt in acknowledging that there was a problem, and assured customers that any charges incurred would be refunded.  However, as in previous banking disruptions, there has been criticism of the company’s crisis communications.  The bank stopped replying publicly to customer questions on Twitter in the midst of the disruption; and customers have complained about long waits to speak to anybody by phone.