Wed, Mar 30, 2022

Kroll's Security Concepts Podcast

Kroll’s Enterprise Security Risk Management subject matter experts have come together, alongside special client guests, to host a podcast series discussing the world’s most pressing security challenges.
Episode 17
Business Resiliency in Times of Conflict

In this episode, Nick Doyle and Matthew Dumpert of Kroll’s Security Risk Management practice discuss the early lessons learned while helping our clients prepare for and respond to business continuity and employee safety concerns resulting from the current conditions in Ukraine. Listen to Nick and Matthew discuss what information they have been collecting for clients, key areas to focus on during crisis preparation and how a proactive approach to both testing programs and gathering data has helped companies respond to the unexpected.

Passages from the Episode

A Proactive Approach to Continuity and Resiliency Planning

“I've seen some samples of the daily updates Kroll has been producing. Can you briefly go over the data gathering process and the content going into those documents?” - Jeff Kernohan

“It's been a really busy few months, especially responding to our clients that either have operations in Ukraine or had operations in Ukraine, but also for clients that have operations in the countries on the outside of Ukraine, such as Hungary, Poland and Romania. Anything that's happening in Ukraine is going to affect those countries so it's key that clients with business operations in that region understand the impacts of this war, and actually before the war actually started, or the invasion started, about what those impacts could be because this helps clients anticipate the problems that may occur.”

“In terms of the information we're gathering for these clients, we're looking at setting a risk picture, which is an important thing, and part of setting that risk picture is understanding the triggers that they may need to identify to make informed decisions. We're working on pretty much a traffic light system where we identify triggers and how much they've been impacted at that time, and that helps clients make those informed decisions. We're looking at military risk. We're looking at geopolitical risk. We're looking at diplomatic areas, what's being discussed. We're covering the whole spectrum of risk management and understanding and analyzing that data, and then putting that in a very compact report that clients can understand. Importantly, after that report, we are attending crisis management meetings where clients have the opportunity to ask us questions and they've been received very well by our client base.” - Nick Doyle

“Having seen the work that Nick's team is doing and the people that we have on the ground in Eastern Europe are doing and the information that they're providing, I can tell you, it's second to none. It’s really helping inform clients on the critical decisions they're making related to the protection and the safety of their people, their facilities and their brand. The continuity and resiliency plans of even the most robust corporate partners are strained and being put to the test. Those who are well prepared, well-oiled and pragmatically practiced are faring better than others.”

“Of course, we're helping our clients throughout the various spectrum of preparedness, but I can tell you the revenue loss and the reputation loss and all of the things that we're trying to help protect our clients from, is much more successful with those who have the robust planning, have practiced their continuity and resiliency plans and use those plans in such a way that it's not necessarily checking a box or having a binder on the shelf that, yeah, right, we've got the continuity and resiliency plan, but it's those that have actually practiced it and put it to the stress test. So real kudos to Nick and his team for the work that they're doing on the ground, providing real actionable information, answering the compelling questions that our clients ask to inform their processes in the region, and it just highlights the need for that robust continuity and resiliency planning.” - Matthew Dumpert

“One of the clients we are working with in Ukraine approached us around their business continuity and resiliency plan. They already had a very basic plan, but it was nowhere near sufficient to support their organization. What we did for that client is developed a timeframe of literally 10 days where we worked 20 hours a day to hold remote meetings with that client's stakeholders within their business and develop a business continuity plan so it could be delivered in that 10-day phase. We knew time was short potentially, and that the possibility of an invasion by Russia into Ukraine was probably not that far away. We had to start working dynamically to deliver that business continuity plan and kudos to the client. They've shown sufficient foresight to engage us to do this type of work at that time.” - Nick Doyle

“That foresight is really important to highlight because we find throughout our client base and throughout those partners that we work with, some common themes throughout their resiliency and continuity planning and many have the banner threats to continuity well covered. In this day and age, it's incumbent upon all of us in the security, safety, continuity and resiliency field to take a step back and really assess what are the unique potential threats to enterprise that we now need to plan for. Whether it's threats to sovereignty, threats of natural disaster in areas that previously weren't as significantly impacted, denial of service attacks, ransomware attacks or a litany of other cyber-related incidents. It's important and incumbent upon us in the field, working with our partners within our client base and the executives within their organizations to identify these new and emerging threats to business, threats to continuity and threats to resiliency.”

“Even just with the decentralized nature of workforces, because of the global COVID pandemic, continuity and resiliency plans are stretched so thin. There's clearly benefits to having that decentralized work-from-home hybrid-work environment, but there's also real stressors. The continuity plan, the resiliency plan that we have prepared, if we don't dust it off from time to time and look at it through the real-time lens and the modern-day lens, we can be caught ill-prepared, and it's being demonstrated here now. Those clients that have taken that proactive approach, that have engaged Nick and his colleagues and others throughout Kroll to take a look at these things, are faring far better. I can say that absolutely.” - Matthew Dumpert

“Just to add to that, I think companies have put a lot of preparation into managing the pandemic in the last couple of years. And now we've got the geopolitical risk, a war afoot in a part of Europe. Two or three years ago, no one would've foreseen these issues as likely issues to build their business resilience around. What we're now seeing is the things that were unlikely two or three years ago are now more likely. This has to be redressed amongst many client organizations. They have to revisit their business resilience and business continuity plans because things have changed and they will have to change their plans as well.” - Nick Doyle

“This is demonstrated acutely by the ripple effects that we're seeing now too, as a result of the violence in Ukraine and the disruption to food supply, a critical supplier of food for entire regions and staple food items. There are these ripple effects when you have threats to sovereignty, when you have civil unrest, civil disobedience, when you have refugees in the millions fleeing a country. Of course, we could not have foreseen this years ago, but it's incumbent upon us to think about those ripple effects as well. Nick mentioned those partners in Eastern Europe regionally, but the ripple effects are being felt throughout the world with supply chain disruptions, with displaced persons, with now low-level civil disobedience and civil unrest, as a result of food shortages and increases in crime as a result of these food shortages. It's really important to take, I won't say, maybe a creative look at continuity and resiliency, but it's learning from these experiences and learning what those other ripple effects might be, and working that back into your business planning.” - Matthew Dumpert

Key Areas for Crisis Preparation

“So a business plan that is proactive, really adjustable on a given nature and an ability to fluidly respond to the rather fluid threat nature of today's world is one that is going to be the most successful and the easiest to implement and oversee. When we really come down to what we're seeing with this in the world and the ability to prepare for the next big crisis, what are some key indicators that businesses should be aware of? We've already talked a little bit about the great need for information. Are there any others that we really should put at the forefront for people to monitor as they approach the next crisis?” - Jeff Kernohan

“I think we should be looking and advising clients to look at how their supply chain risk is impacted by what's going on with these events in Ukraine and elsewhere. So that would be a key area I would say, clients need to focus on.” - Nick Doyle

“Certainly supply chain, certainly risk. Also, assessing their ability with this new remote work and decentralized nature while it plays into continuity and resiliency, and having a decentralized workforce, because then no one incident or event is likely to disrupt an entire workforce. But what we've found is sometimes critical functions are performed by a small group of people. We have to take a critical look at where those people are and how reliant they are on local infrastructure. If there's a disruption to that local infrastructure (i.e. power, water, Internet, how devastating that could be to a business enterprise, etc). If those personnel are performing critical functions and we conduct the business impact analysis, and we recognize that their functions are so critical to the continuity of the organization, we need to think creatively on how to replicate, duplicate or otherwise backstop what they're doing.”

“We're learning that here in real time, and if we don't capture these lessons learned, I fear we'll be in a no better place than we were. We are learning these lessons and applying them to future continuity and resiliency. I can tell you that our global clients are feeling these pressures and seeing them in various regions throughout the world. It really helps us understand how major organizations are dealing with these problems globally, and frankly learning from one another. One of the things I've been very impressed with over the last two and a half years is the resiliency and the creativity of us as a people and our business partners. I'm confident that there's not a hurdle we can't clear, but you must have smart, talented and pragmatically thinking people applying their skills to these problems.” - Matthew Dumpert

“I'll just go back onto that as well in terms of risk monitoring. Risk monitoring allows companies to quickly identify issues and risks that they can react to and anticipate. The risk monitoring aspect of understanding where the areas of issue or areas of concern are going to impact your organization, to have advanced notice of that by getting regular risk monitoring. That is a key element I believe.” - Nick Doyle

“There's no shortage of information, but highly curated, actionable, reliable information, separating out the noise from the actionable information that we can then provide to decision-makers, to ultimately make serious decisions about people, property and reputation. That to me is the cornerstone of what we do. Without that highly curated, highly actionable information that you get from the field that you consolidate through various collection mechanisms, some human, some technical. Without that information, we can't have confidence in the decisions we're making. Being able to digest highly actionable and curated information, and being able to separate that information from noise, from disinformation campaigns and from trolling activities. That to me in this day and age is absolutely critical, and providing that information to decision-makers is really the only way to make truly informed decisions on matters of life safety and security and brand reputation.” - Matthew Dumpert

Talk to a Kroll Expert

Kroll is ready to help, 24/7. Use the links on this page to explore our services further or speak to a Kroll security risk management expert today via our contact page. 

Business Continuity, Resilience and Disaster Preparedness

In today’s fast-paced world, disruptions can happen anytime. Kroll’s full suite of business continuity, resiliency and disaster preparedness capabilities is designed to prepare your enterprise for unexpected risks and maintain competitiveness throughout the full lifecycle of any disruption.

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.