 Te 21st century has been fraught with concerns about safety. From the micro level where we look at fraud and credit fraud and theft, for example, through to the macro level where we look at the terrorist threat. The issue here is that the nature of the terrorist threat keeps changing. So it's gone from organised groups as well as the lone wolf and the nature of what these different groups are targeting, whether it's cyber, whether it's aircraft, whether it's open places and spaces such as soft targets, stadiums, postcard targets. The nature of it is constantly morphing and changing. And this means that for organisations, extreme events sated from a terrorist attack exposes them to high levels of risk and uncertainty, which can stretch them to and beyond their limits. And so the difficulty is when we look in the context of New Zealand that although these extreme events are probably random and they're improbable, that they do actually occur and we need to be prepared. And this is a country without a history of a lot of threats, but the nature of the global threats now and the way it's morphing and changing is such that we need to be prepared and working together as much as possible so that there is very quick business recovery. The implications for society are that your critical national infrastructure can easily be exposed to extreme events. For example, if your critical national infrastructure like communications, your food supply chains, your water and utility companies are private sector-owned, what have they done to prepare themselves in the event of an extreme event? So for example, in the UK, 80% of the critical national infrastructure is private sector-owned and often foreign-owned. So to what extent are they working with local government authorities, central government, so there's public-private partnership to prepare for extreme events, which means that there is a quick recovery and we're back to business as usual as soon as possible. From my extensive research and consulting with the British Government and British PLC, what we have found is that there is a great variation in degree of preparedness across sector and across regions in the UK and partly that is to do with the fact that some organisations have been more exposed to previous disasters or they have a lot of experience. They've had their resilience tested and they're able to use that knowledge to inform their current practice and also other organisations in their supply chain. But it does vary a lot in organisations in terms of the structure. Where does the business continuity manager sit? Do they have board representation? How much influence do they have over decisions about finance and what to invest in terms of preventing or being prepared for any kind of disaster? The degree of regulation, so airlines and banks are in highly regulated sectors, although many of them were coming to us asking for advice to learn from other sectors because they didn't want to just have the same knowledge flowing around the same ideas. They wanted best practice from other sectors, but regulation certainly sets a standard, a minimum of compliance and auditing. And also the culture of the organisation. Some are very audit and compliance driven where others see resilience as part of their whole organisational culture because they want to be able to be resilient to any kind of threat, not just the one that perhaps just experienced, which might have been flooding. They want to be able to be prepared for a pandemic, a terrorist attack, a flood or whatever it may be and therefore they want resilient capabilities right across your organisational culture. Some examples of this would be in the airline industry. Catering and onboard catering has always been known to be a point of vulnerability for airlines because the food could be poisoned or a bomb could be put in. The food delivery units. So some organisations have gone so far to mitigate that risk by actually not having catering onboard at all or having sandwiches or different kinds of onboard service. Certainly the low cost airlines have gone that way. They also outsource their security checking and get the airports to do it for them. But when we look at the differences to utility companies, there was a famous case of seven Trent in the UK which did not deal very well with the flooding in 2007. Then there was the PIT review. What happened there is like many organisations, there's still a expectation the Government is going to step in and resolve the problem at the point of the crisis and then probably help the organisation through the crisis. But actually the UK Government, like many governments in the world, with the nature of extreme events, want the private sector organisations to be prepared and manage themselves through this crisis. Because the unintended consequence is certainly in the UK flooding example was that generators got flooded which affected local hospitals which caused even more crisis and catastrophe. So these organisations that are now part of the critical national infrastructure that a private sector now need to show to governments and insurance organisations that they are being prepared. And I've seen this with the Canary Wharf Group in London. They have a resilience group that works very closely with the Government and all the big bank representatives come together for meetings with blue light services and prepare for all sorts of different scenarios and events, not just one kind but several of threats that might happen and then how would they respond to that collectively as a group considering they're all sharing a shared space in London. I think business continuity managers, for example, have quite a difficult time trying to convince people that sometimes there is a threat. And certainly in the UK there's a risk register for every region that you can go on the website and see what the risks are in your particular region which can educate managers and they can look to do scenarios with their staff, part of their training to look at how to be prepared for different types of events. And also they can work with local government agencies, organisations in their geographical area. So, for example, if it's a large shopping mall or if it's the CBD area, involve all the companies that are around a certain area and bring their representatives together with blue light services and government and so forth to play out some of these scenarios. It's called exercising and it's very common in the UK to come across these large exercises going on where they'll be playing out a scenario and close certain streets. And that's part of the public-private partnership so that there's a higher awareness amongst general population of what's going on. And that's something that's very useful but that often is just as the minimum. It's about getting everyone to be aware. So we could look at a recent example like Sydney with the Lint Cafe and you could ask questions about were those staff prepared for any kind of incident, were they aware that they are near the critical national infrastructure such as Channel 4 Studios which was right across the road and nearby they could potentially be involved in something at any time and also were the staff, had they practised scenarios to certainly in some of the large hotels here in Auckland I remember over 20 years ago being trained to be aware of bomb threats and certain types of things that might happen when there's high profile people staying in the hotel who could potentially be a target. So it's about that awareness at all levels of the organisation and making sure that everyone is prepared and aware that something could happen at any time. Organisations can improve their resilience through a number of means. It's just to recognise where they're located and so if you're near iconic sites like Sky Tower or postcard potential targets like museums or historic buildings or even Park any of these very big iconic structures then you have to realise you could be vulnerable as well not just if you're by an airport for example and the threat can be that your location is near other organisations similar to your own. So in a CBD for example I mentioned Canary Wharf before there's about 18 or 20 global banks there they're all there because they want to be together they want to cluster but by being all together they're actually raising their threat profile it's a higher level of risk by actually being all together because they can all be targeted in ways through terrorism which will mean that globally all their brands are affected in one go. So you have to be aware of where you're located the type of vulnerability that could be coming through whether it's a cyber threat within the organisation whether it's an external threat to your building or infrastructure or if it's to an organisation in your supply chain or your geographical area you need to think about your community resilience your corporate resilience has multi-layered levels of resilience you need to be thinking about and have a more joined up approach working with the public services on how you respond because the main aim is business recovery getting business back to usual and the recovery of the economy or the entire region as quickly as possible so therefore there's a real need not to be complacent not to think that some of the threats are not ever present they are present and it's about being aware that you need to be investing and being resilient and you need to be creating a culture inside the organisation that people are able to know what to do in the context of any kind of extreme event not just relying on the business continuity manager being able to be empowered and have it done exercises to look at different kinds of events that may happen and therefore know what to do if they're faced with some kind of crisis