Webinars
When Chokepoints Close: Build Resilience That Works Under Pressure
70 views
Global supply chain disruptions are not the exception for operational resilience teams. For many teams, every time a crisis hits, the same gaps are exposed. This session is about how to close them, with insights from Maersk, the world's most recognised organisation in global trade.
Hear from James Connell, who sits at the intersection of security risk, operational continuity and commercial decision-making at Maersk, and Magnus Josias, Head of Business Continuity at Human Risks, on how resilience frameworks hold up when supply chains are actually under pressure. This session will be hosted by Douglas Gray, Human Risks Head of Product.
You’ll walk away with:
Firsthand resilience strategy insights
Learnings from the frontline
Frameworks for mapping dependencies and single points of failure
Crises don’t wait. Hear what it actually takes to stay resilient.
Can't make it live? Register anyway. All registrants will receive the recording after the webinar.
Hosted by Human Risks | Security risk and continuity programs that scale.
View transcript
All right, let's kick off. Welcome everyone to this afternoon's webinar. I'm Douglas Gray, Head of Product here at Human Risks, and I'm joined by James and Magnus, who we'll introduce and go around the room in a second. Welcome to a really, really interesting discussion today around supply chain security in 2026. Obviously a hot topic at the moment and something that is very, very relevant both for security and resilience teams. There's two other speakers here with me. I'll introduce myself in a second after we've gone through those, but I'm happy to be joined today by James Connell, Head of Supply Chain Loss Prevention at Maersk, as well as Magnus coming in from the Human Risks team. Many of you will know him, co-founder and Head of Business Continuity here at Human Risks. Just before we get started, and I'll go through some house rules and a little bit of detail on what we're going to be discussing today in a second, but it'd be great just to start with a round of introductions, starting with yourself, James. Let everyone know your background, what you do at Maersk, and where you sit on that team. Excellent. Thank you, Doug. So again, my name is James Connell, joining today from Copenhagen, based out of the home office of Maersk here in Copenhagen. Obviously, I'm sure everyone could tell from me talking that I'm American. I came to Denmark about three years ago for this role. I have a history in logistics as well as retail coming from some of the big companies like Amazon as well as Walmart. My role at Maersk, as the title says, is Head of Supply Chain Loss Prevention. Me and my small team are in charge of setting the strategy for how we protect our goods throughout the supply chain, as we are an end-to-end supplier that includes everything from on the road, within warehouses, depots, vessels, all of that good stuff, as well as kind of setting our direction for a lot of our mitigating steps, which as we know are extremely important in our overall resilience process to making sure that we put the right things in place before wrong things happen. So it's a little bit about me, and I'll hand it over to you. Thanks, James. Magnus here, also calling in from Copenhagen and Denmark. Yeah, really, really happy to be here, and I'm looking forward to this conversation. I recently joined Human Risks about three, four months ago. I've spent the last 10 years in the resilience industry, had a crisis management platform that we merged with a company called Dataminer, threat intelligence platform in 2021. I spent a couple of years there working with threat intelligence across security and resilience, and the past three years I've been in pharmaceutical industry in security and in resilience. So my role in Human Risks is primarily on the business continuity management side of things, but really in this cross-sections between security and business continuity management, which is also where this discussion today will happen. So I'm looking very much forward to this. Thanks both. And as a brief introduction to myself, I'm today's host. I'll be asking some questions of James and Magnus and also be monitoring the chat, so feel free to throw in some questions. I can see we've got people dialing in today from Bulgaria, from London, and from across Denmark. I'm also in Copenhagen today, but normally we're based in Elbor, where the Human Risks team sits. As the head of product at Human Risks, I work really closely with our customers on designing and implementing new workflows and systemizing them so we can automate them and make smarter decisions or enable smarter decisions with security and resilience teams. And we're very lucky to be working with teams such as James's team from MERSC. My background is mainly in FMCG. I spent the first 10 years of my career working in resilience and enterprise risk in a large FMCG firm in New Zealand, where I'm originally from, as well as working with teams across Paris and in France and the UK, mainly on resilience and business continuity strategies. So very much tied to some of the key discussion points that we're keen to get into today. Just a little bit on house rules for today's session. We will be recording the session, but feel free to throw questions in the chat. We are very, very keen to make this an open dialogue, so not make it a one-way. If you've got any questions on what we're talking about, we will reserve some time for a Q&A at the end, but also feel free to throw them in, and I'd be very, very happy to pick them in and make sure that in our conversation, we're making sure that we're folding in some of the things that you're seeing on the ground or experiencing in your teams. My colleague Stella will also be monitoring the chat, and in case I miss anything, you'll be sending anything across. And just a little bit on us at Human Risks, for those who don't know us, just before we get started, Human Risks is a SaaS company founded in Denmark by industry experts in the security and resilience space. We provide security risk and continuity programs designed to scale using our tool, using the Human Risks platform as a unified platform to replace fragmented tools and build resilience across organizations. So very much designed for teams, both coming, say, from spreadsheets or coming from environments where they are using different fragmented tools and aren't able to get that unified view of security and resilience across their asset footprints. We're trusted by some of the biggest brands in the world, such as GSK, HSBC, and again, at Crane Currency and Maersk. I'm very, very lucky to have a good, strong partnership with Maersk and working very, very closely with yourself, James, over many of the last few years. If you don't know us and would like to know more about us, do feel free to drop a message into the chat. The team will reach out and make sure that you have the ability to connect with us, and we'd love to be in touch and jump on a call. So if you'd like to send a message into the chat, and I see Stella's already picking that up as well. So thank you very much, Stella. And just lastly, before we get started, we do have a poll. We'd be very interested to see who amongst the audience has potentially been impacted or exposed to the Strait of Vermeer's crisis. When we originally set this and started having this conversation around the impacts of supply chain resilience and of supply chain security, and discussing this with James, we knew that the Strait of Vermeer's was going on. We don't want the entirety today to be on that, but it is obviously present for many of the attendants today. And as I can see, 100% of those who have joined us today have been impacted by it. So obviously very relevant on the ground as well. Great. Well, I think without further ado, it'd be just fantastic to get into the agenda. We're covering off three topics today, just to give you a bit of visibility on what we'll be discussing. We very much want to start with a focus on the Strait of Vermeer's, but also some of the structural lessons that we've seen coming from the crisis and some similar events previously. And then very much want to land on some of the practical frameworks and practical learnings or outputs that we've seen. And James, very, very keen to start with your expertise. So to jump straight into it, the Strait of Vermeer's closing was a choke point. And it's not the only choke point that we've seen close over the last few years, but something very, very kind of relevant, especially when you're talking in supply chain security and resilience. And it's, you know, when these choke points fail, it's, there's often the case that there's the first couple of things that breaks for teams. And, you know, the continuity plans that they have in place, but they break very, very quickly, and don't tend to kind of set teams up for success. So, you know, based on MERSC experience over the last few months, or going back even further, really keen to get into, you know, what the impact has been when the Strait is closed, and kind of more broadly when other choke points have closed for you as well. Of course. So there's a couple points I'm going to hit on here, probably not in any specific order, but I think there's some key relevant things to talk about, right? So I think we learned last year, with the shorter Israel-Iran conflict, and then kind of what we're experiencing now, that when these choke points happened, and you can go all the way back to COVID with this lesson learned as well, as we tend to be eternal optimists. So with our BCPs, they tend to be structured for a 30-day disruption, even a week disruption. And what we're seeing with these now is these 30 and 60-day disruptions, right? Or, I mean, sorry, three to six-month disruptions, and potentially longer. So what we really see is, first of all, an immediate eternal optimism is kind of the word I like to use among the operators of, oh, we'll be able to do this in a week, or we can make plans to do this. So I think we as security and resilience professionals have to be kind of the realist in the room and say that that's probably not going to happen within a week. That's probably not going to happen within 30 days. And we need to be prepared that this could potentially last six months or longer. So it isn't so much a, you know, in risk management, you have that classic formula that says the cost of a temporary replacement, plus the cost of, you know, a permanent replacement. Immediately, people are trying to move back to standard work when, as we've seen with the straight-of-horn moves, it may never, ever go back. Depending on how Iran potentially moves forward with permanent tolling, we may see a permanent increase in cost for goods across the globe, not just oil, because as we know, oil affects all good prices. So we may see something carrying forward past this. I would also say that some of the initial things that break with BCPs in these types of situations is overly planned BCPs, which kind of sounds like an oxymoron. But we at Maersk, and I think in overall in the industry, your BCPs really shouldn't be a step-by-step process. They should be more of a way of working to get the right people in the room to make the right decisions. Because as soon as you have a step-by-step process, the faster it will go wrong. So I think in these situations, it's extremely important to have this crisis management frameworks, as Magnus alluded to earlier, approved from the top level down with the decision-making matrices, you know, the classic RACI model already established to where that can happen immediately. So whether it's daily calls, twice a day calls based on the urgency of the situation. How do you set yourself up for success? And then one last thing I'll just say real quick before maybe I leave it to anything with Magnus to add on to this is what we see early in these type of crisis situations is a desire to find the perfect solution, but an imperfect plan implemented quickly is better than a perfect plan implemented too late. So how do we make sure that we make decisions? And it's really interesting to security and resilience professionals. We may not have all the knowledge, but it's on us in those crisis management frameworks and those larger conversations to kind of be the forceful one and say, hey, I know no one likes where we're at right now, but we have to make a decision in the next 24 or 48 hours and things like that. So I think those are a couple of key things that break as well as a couple of things that need to be very clear and made aware in the beginning of these kind of large disruptions. Magnus, I've been, as James alluded to, very interested in your thoughts on this as well. In particular, it's to your point, James, there's often this gap between having a plan and then the plan that actually works during a crisis or not ending up in this scenario where there's a plan that just it's either not looked at or it stays in the drawer with the dust on the cover. It's never actually picked up. I think a lot of organizations learn that during COVID, for example. You know, Magnus, you know, working across the industry, what's this gap with the humus response? What's that show and the difference between plans that actually work and the ones that just stay with the dust on the cover, as I said before? Yeah, I like that framework approach that James has. I think, you know, the operational playbook, it can work at a certain level of the organization where checklists are quite valuable. But I think, you know, the communication piece of this, it's not, you know, a site function in a crisis. It's very much the crisis management here. And this is also where, you know, it reveals who actually owns resilience in the organization. So I've been in situations where things have happened and, you know, the senior leadership have looked to resilience to, you know, highlight data, you know, criticality, listings of assets and stuff like that. So I think in most organizations, this is generally quite unclear who owns it. But this, you know, ambiguity becomes very visible, very fast in these situations. I think another thing to touch on is that when you do these kinds of, when you do the scenario planning in the BCPs, James, you touched on it, but I think these long term scenarios are a little bit overlooked. There's more focus on it over the past years, but the immediate disruptions have been a focus. But now I think we need to plan for more longer, you know, probably what bigger situations that impacts the organization for a longer time, especially when it comes to supply chain. And, you know, actually just to come back and focus on the straight up our moves for a second before we jump into some of the structural lessons from it. James, and I believe the team actually has some slides that you shared with us beforehand, but can you walk us through what the last few weeks and month and a half in particular has been for the MERS team? Yeah. So just to really quickly talk about our framework, right? And so this is publicly available in our, in our customer packs. So this is something that we base basically everything we do. So we as Global Security and Business Resilience at MERSC, I report to my boss, Mikhail Rasmussen, who's the global head of Global Security and Business Resilience. And besides all our great regional leaders and area leaders across the globe that manage security and business continuity, we also have a central team, which includes my peer, who is the head of crisis management and business continuity, as well as another one of my peers, who is our head of threat intelligence, who came from 15 years at the FBI. So very knowledgeable individual. Our head of crisis management business continuity is from oil and gas has dealt with some fairly significant crises over the years. And we follow, or we've established our predict, prevent, respond, recover model, which basically every different portion of what we do falls into that. So I think that's something as simple as from a cargo continuity, do we have the right fences and cameras and all these simple things and, but not simple, but you know, the general things to what is our daily monitoring? Magnus mentioned data miner, you know, it's the siblings, it's the data miners, but what I want to talk about specifically is what it's looked like for us for the last couple of weeks is I think there's a lot of data out there, right? And it's across multiple platforms and let's face it, there's not a shortage of it. A quick internet search, chat GPT, we'll quickly give you, you know, type in chat GPT, give me a quick risk assessment. And the problem is, is it's on us as security and resilience leaders, especially knowing our business. I've always said to my teams, you have the unfortunate job of knowing everyone's job because we have to know how everyone else works because there's no value in giving an update. You know, I, last year I was covering Europe for a little bit, actually, during as a second hat I was wearing and giving the daily updates, I would collect it from this security leaders around that area. And a lot of it was, it read just like a briefing, you know, hey, these places were bombed. These people were thinking this, that doesn't help the operators make decisions. It's how do you apply it to the operational model that you're working with and say, not that loss of life, not that places being bombed aren't terrible, but if it has no operational impact on your specific business line or operational model, that's probably not the things we need to be focusing on those conversations. The second thing that we've been doing a lot for the last couple weeks is taking language and taking reporting and data and converting it to language for non-security professionals. We can talk ISO 31000, we can talk risk models, severity versus impact and all these things. Maersk is full of people that are really good at moving things. And we're one of the best in the world at it, but not everyone in the company is the best at our how to quantify risk and sometimes the wording that we use. So it's how do we create not just the words, but a lot of times imagery, you know, something as simple as a five by five risk matrix that says, here's where we're at, here's the triggers that will push us past this significant risk point. And how and when we get to that, here's the decisions that have to be made. And again, you're not making the decisions for operators and the senior people in your business. You're giving them the tools and the knowledge with the applicability to your business model or operational model to make those decisions. So I think for us, it's been taking this massive amount of data, compressing it to what's relevant to the business, and then converting it to a language and imagery that allows senior stakeholders in the operational world to make decisions in a timely manner, as well as how can I say this? I think one of the other big things to talk about here is understanding your company, especially we've been doing this at Merck is your risk appetite. There is no situation in any crisis where the risk is zero. So understanding your company's risk appetite before the straight of Hormuz, we operate in extremely dynamic risk environments around the globe in Latin America and our IMEA region. And we always have continued our operations with a certain amount of risk understood. Now, I'd say what's a challenge is in these conversations, especially with the straight of Hormuz is being always open to discuss if our risk appetite has changed, because it will change. And obviously, we're always going to prioritize the safety of our sailors, the of our people on the ground. But also, we need to be able to open the question continuously and say, has our risk appetite changed from two weeks ago based on the recent situation or the development in a disruption? If it has, we need to be able to provide the visuals and the proper wording to our operational leaders to make sure that they have what they need to make those decisions. So I think for us, it's been a lot of condensing, a lot of converting that language into a way that's digestible for our operating teams. And again, making them understand that I know the word that's conventionally used is like skeleton operations, right? So if we have to pick five things that are going to work and 10 that aren't, what are the five that we're going to make work? Because what I think also this eternal optimist idea is that we have to run at 100% even when the crisis is running. And not to jump off straight-whore moves, but I think it was funny last year, I had some interesting conversations with, not that it was funny, but we had the power outage in Spain, right? So the whole country went out of power for two days, and we had a lot of operators saying, well, what are we going to do? And it's like, we're not going to do much. The entire country has no power. And it was a short disruption, right? So we got back to full operations, but I think sometimes there's also the acknowledgement and working with operators to say, hey, let's continue to build plans, but let's maybe also take a breath and understand that we may need to just think about this for a second before jumping to making drastic decisions with large financial costs for a disruption that may be short. So I know I jumped off the straight of our most there for a little while, but I think that's about what the last couple of weeks have looked like for us here at Merck. I mean, it touches on a point that everyone who will have been impacted has gone through very, very much the similar kind of decision-makers and sticking points, if you will, through the state of home's crisis and whatever it may bring us over the next weeks and months as well, to be honest as well. There was a really interesting point there that I'm keen to bring Magnus in on on a second, and it's around crisis communications, both internally, helping understand risk and resilience, but also externally as well. But just before we do, you also mentioned risk appetite, which is something in particular in the security space can be quite hard for teams to communicate really effectively. We're lucky enough to work with many of the larger firms across Europe where there can be standing around security risk appetite being effectively zero, that controls need to be put in place right down to there's almost zero risk, which is just not the reality. And to your point, when you're sending sailors around, of course there is a risk appetite exposed to that. So just to pick up on that before we jump into communications, is the, you know, where have you seen that applied particularly well, and what's the unlock that you've seen to help teams understand where appetite actually needs to come into play and make a good decision around it? Yeah, so I think first of all, it's getting the right people in the room, right? So I think, unfortunately, we as security leaders have been exposed to things that make us a little bit numb. And that's nothing, that's nothing bad. I think, you know, a lot of people in the industry to law enforcement and military around the globe, we see things. So I think it's about getting those right stakeholders in the room, like your chief people officers and things like that, to make sure that someone is always representing each group extremely well, to say, have we thought about this? know, I think I've always, something I've always again told my leaders is sometimes you have to sit at the table, even if the conversation is not relevant to you at the moment, because when it does become relevant, you need to raise your hand. And it goes, it goes the same way for a chief people officer. So we might say, hey, the last 20 ships have made it through, there's very little chance that anything will happen. But then the chief people officer, or have we thought about this? Or HR for our vessels? So I think it's about getting, making sure there's a voice speaking in every room, I mean, for every, every person in the room and not in the room. So I think for us, that's been one of the key things. And then I think historical data is important, right? So how do we reference past crises? How do we reference past disruptions and say, this is what we did then, this was the risk appetite then. And we're not saying apply it to the same situation, but we're just giving people anchor points to make decisions based on previous examples. So I think anything you do to quantify as well as qualify it through previous examples and historical data helps drive future decisions. Although we shouldn't solely base it on that because as we've seen, these situations are extremely dynamic. And with risk appetite, it's also really important to acknowledge that especially like in a situation straight before Moose, we have almost zero ability to change what's happening right now. Even as an American, I cannot pick up the phone and call Trump. Probably wouldn't want to anyways. But the point being, we can't influence the decision he's making. We can't influence the decisions that Iranians are making. We can't influence the Houthis that potentially, if we go back through the BAM or the Bab al-Mandeb, that what's going to happen with our things there. So there's a lot of dynamic pieces and understanding what we can and can't control for risk appetite, I think is very important. And I'm very, very keen to move into some of the structural lessons that were seen from this as well. And it's to your point, we have data from the past. So let's take this as an example and move forward. But just before we do, communication was one of the key points and what James was just sharing there. And Magnus, I'm interested in your thought on that as well. Because often communication can be underestimated, or the importance of communication, both internally, on helping people understand where risk exposure is, and then also externally, of course, as well. So just a quick fire. I'd be interested in your thoughts and there may be any builds that you have, James. You know, comms is a function in its own right. Where do most teams underestimate it? Yeah, I think that it's, of course, two ways. There's the internal comms, which is key. I think, James, you've mentioned it and touched on it quite a bit. But I think there's also the comms to your vendors. So one thing I wrote down when, James, you were presenting here is that, you know, I kind of the value in understanding the resilience of your vendors. So Merck is a good example. Like, when we understand the criticality of our vendors, we can have that conversation with them to understand, okay, we don't, we cannot plan for everything, but we can have a strong relationship and communication with those vendors to understand, you know, one thing is having SLAs in place. One thing is ensuring that our critical vendors have a BCP in place. But establishing that line of communication in peacetime and kind of wartime, quote unquote, I think is very, very valuable. Yeah, and I think, just to add to that with the comms piece, I think a lot of companies do think about the external as well, because we all know that, you know, when we talk about it at Merck, we protect people, assets, and brand, you know, and operations. But I think, you know, a lot of, especially publicly traded companies like our own are worried about brand, right? But let's face it, resiliency, and the plans that have to be executed, and the decisions that have to be made are made through internal stakeholders. So if you're not getting the comms to the internal stakeholders quick enough, and making people feel that they're empowered to make the decisions that they can or need to take the direction that they have to, it's very important. I think if I had to choose, which we shouldn't, between great internal comms or great external comms during a crisis, I would love, I would always take internal over external, right? Because we need to, these are the people making decisions, these are the ones making the business continue to run. So I think that's a good one. And I will take one second, if you don't mind, Doug's assignment has a really good question in here. And it's a very quick answer about AI and enterprise business impact assessments and risk assessments, because what is a BIA, if not a form of a risk assessment to analyze big data? AI is a great tool. We use it, everyone's using it, it's going to get more important. But we can never pass risk on to an AI. We can never pass, and that is a policy that's actually been written by us internally, is I have used them for risk assessments, I'll type it out, and then I read it all the way through, I make significant changes based on our operational model. And the fact that a lot of times AI just writes things to make us happy. And then including our knowledge from boots on the ground in those areas. So I think the key there is we don't pass on risk to an automated engine or AI intelligence. Yeah. Yeah, fantastic. It's, I mean, and to your point, it's something that's very omnipresent for us, obviously, and Magnus will talk about that a little bit more later on, but also for everyone in the industry. And I see also, Rajiv, thank you for sharing some questions as well. We're going to come to those, I think, at the end. We've got a good Q&A session right at the end as well. And just to pick up, and I'm keen to shift on to some of the structural lessons, starting with you, Magnus, and then, you know, very much the same thing, James, interested in your thoughts as well. You mentioned before vendors and suppliers, and both of you actually did. And it's one of the key difficult things when we're talking about business impact analysis, for example, and just how deep you go to get that picture, because you can't boil the ocean, if I can use that expression, very relevant for this. You can't boil the ocean to get a resilience picture if you need to make a decision quickly. So when you're looking at your supplier base, and Magnus, starting with yourself, how deep do you actually need to go to start getting a picture that you can start making a resilience picture on, on third-party risk probably in particular, before you should step back, make the decision, and then identify where to go next? That's a good question. It's very individual from organization to organization about how deep you want to go. And also, of course, depending on your resources, your data, maturity, and everything. I think, I'm not sure there's a good answer to exactly how deep you should go, but I think you should start understanding your critical vendors, your critical assets. And then I think what you need to do on each of them, and it's up to the individual organization to decide that that threshold, is that you need to understand, okay, if we lose this for an extended period of time, or short period of time, what is the, I say, manual workaround, or just a workaround for the organization? So we remove this vendor from the picture for one hour, and we 12 hours, or for even, even, you know, reduced capacity for one week. Do we have a plan? So what is our response plan? What is our crisis management plan? What is our continuity strategy? And then also, what is our recovery strategy? So, like, how do we get this back to business as usual, this vendor, client vendor relationship? And also, is there any kind of, any, you know, extended, you know, capacity requirements on the back end of this, when things are up and running and back to, back to business as usual? If I could just quickly add to that, I think two key things that you said there, Magnus, that hit for me is, you know, when you said you're most important, it's important to remember resiliency and continuity as a top-down approach in any organization first. It doesn't mean that you can't start a simultaneous effort to make it a little bit bottom-up as well. I think that's something a lot of companies do, is you start at the high level, and then potentially start identifying maybe some key sites and start working on individual BCPs for sites. But, you know, I'll use Maerska as an example. If our booking tool goes down, we're losing lots of money really fast and potentially going to our competitors. But also, if we're the only option available in the demographic or geographic, then potentially people are just not able to move their things. So I think that skeleton crew I kind of mentioned earlier is like, how do you identify the key IT? So, you know, it's in resiliency, it's people, assets, vendors, technology. So what are the most important in every single one of those? You know, we see things like in the East Coast of the United States was the last year or the year before where they had a large strike among all the port workers. There goes your people. You know, if a booking tool goes down, there goes your technology. And it's the last piece on vendors and suppliers I think is really important is contractually, and you'll hear me mention this maybe a couple of times. I think what we do in our contracts before are very important before we had a crisis or a disruption. But if we have a vendor that is super key, we shouldn't just be contractually obligating them to have a backup plan. And then we have a backup plan. We should be building that backup plan together. Because if we're not building it together, then the crisis happens. We run left, they run right. And we're not, they're actually not, it's not that they're not trying to help. It's not that they didn't have a plan. It's that their plan didn't align with our plan. And then, you know, what could have been a five hour disruption turns into a five day disruption and results in millions of dollars lost. And maybe, yeah, I agree. And I think, you know, that scale is an organization. We've had a few conversations over the past months on a minimal, minimum viable company concept. Yeah. That is, I think, becoming quite popular, which is, I think there's a little bit of inspiration from the financial sector and the operational framework in on this. But I really like that. Say, okay, what are the critical processes that supports our MVC? Then we can kind of start to map those critical asset dependencies on those critical processes. And then we can plan and build a contingency into that. Because also remember that, you know, a process, it's not a process that we lose. We lose the asset dependencies, one or multiple that would then affect the process. So I think that that is a that is quite valuable to be. It's a good way to look at it and quite pragmatic also. I think to build on that, you know, that point around pragmatic, and it's actually coming to something that you mentioned, James, I'd be very interested in both in your thoughts on this. There's a decision point there that leads to a trade off, you know, and that's both a commercial decision and then a resilience and business risk decision, essentially around what that MVC is, to use the example that you just gave, Magnus. And, you know, what the trade off is, and what I'm alluding to there is the fact that more often than not, when you're looking at what the minimum viable company is, it's very difficult to start excluding teams or functions from that because everyone's area of the business is the most important area of the business to them in many ways, which is very much a stakeholder engagement piece. So when we're talking about the trade offs there, about what's included in this critical camp and which isn't, who owns that? Is it the security and continuity function or is it more the commercial side of the business? And James, I'll start with you and then very much keen for that. Magnus, I feel like I'm saving you from that question. No, but I think it's, and again, unfortunately, these decisions are something that need to be made well before a crisis or a disruption. Yeah. Because, and it's a yearly exercise, if not a bi-yearly exercise. So I think we initiate the conversation as the resilience, security and resilience professionals. So we go out to the owners of the businesses and again, I won't list all of them, but you know, we have forwarding, we have landside transportation, we have warehousing, we have our vessel organization, we have our APMT. To be honest, from a global perspective, APMT and vessels are our most important as far as resiliency goes. Like, not that we don't love our warehouses, but if the warehouse in Willowbrook goes down for a week, it doesn't impact global trade. But if our term, if our terminal at Moslocta goes down for a week, you just minus 300,000 containers coming into Europe. So I think one, it's about going out and talking with the operators for each of the business lines, and then going all the way. And again, these conversations have to go all the way to the top. So I think you find in each one of these organizations, what is the most important to them, and then you bring that to the higher conversation and let those decisions be made. And I think, just like when we're, what I talked about with specifically the straight-of-hore moose is how do we turn these complex ideas that maybe are very language specific to our industry into digestible for these non-security or resilience professionals to ensure that they understand. I mean, and then you have the ones, like I just gave an example of the booking tool. That one goes to the top of the list, right? Regardless of what, because whether they're booking space in our warehouse or booking vessel transport, that has to stay up. So I think from a technology perspective, you assume that the right people are included from an intelligence all the way to your CIO. But I think it's a gradual process with each operational model. And then you bring it all the way to your COO and your CEO, and they make those tough decisions based on the extremely good information that you've given them. Yeah. And to follow on that, I think the whole MVC discussion goes back to what we talked about before with the risk appetite. And that can be dictated by a couple of different things. And I agree that this decision goes all the way to the top of board level of senior management. But you know, the risk appetite, the what does the MVC look like will be dictated by, depending on the organization, commercial commitments, regulatory requirements, and you know, public or like community requirements. So like the CER directive coming into effect, as a country, what do we need to deliver to align with this? So that's definitely part of this MVC discussion. And it's a, coming back to internal communication and alignment, that is where, you know, the stakeholders need to come together internally to map all of these things out. We cannot have this discussion without bringing in, you know, legal, senior management. It cannot be a siloed piece of work from the resilient function. I'm keen to build on that with a couple of practical points as well. So, and, but just before we do, just to flag, I can see there's some really good questions in the chat and we'll get to the Q&A in a moment. So if you have any other questions based on what we've been discussing so far, feel free to reach out. I'm very, very keen to maybe throw a couple of hard questions to the team, feel free. The Magnus to starting with yourself and it's building on what we, what you were just saying. You know, I'm very conscious that there's likely people out there who are looking and essentially saying, wouldn't it be fantastic to have a function as complex and as well resourced as as what James just described before. And for a lot of teams, it comes down to a budget conversation and the fact that they just don't have the people or they don't have the resources to, to build the resilience framework that they actually want. So for, you know, for those with limited budgets, what are the high impact things or the practical things that help them get there in the first instance, either if they're starting from scratch or starting from a relatively low base? I think capabilities, I think building the, I think that's the most cost efficient way of doing it internally and kind of increasing the maturity level within organizations is to, to, to train and to cater for like resilience capabilities. Most organizations, I would almost say all organizations have resilience baked into their operations and into the capabilities of their people. So I think really highlighting that, training that, exercising that, that will get you a long, get you a long way when things happen. So if, if, if an organization is mature enough to get the right people together in a room when something happens, then you're already, you know, further ahead than 80% of most organizations. Yeah, I got, I, I, I 100% agree with what everything Magnus said. I'll just add a couple of key things, I think to that. So first of all, awareness, anyone can build a 20 minute e-learning. And again, it's, it's not going to save your, save you during a huge disruption, but if you can boil this huge concept down to, you know, I'm going to speak because we're here in Denmark, when you're riding your bike to work and you get a flat tire and you don't have a, one of those little things to shoot it up and fill it with air again and fix the flat, like such a simple concept. Right. But like it, it's a plan B, it's a redundancy, right? We build in redundancies across our organization. Right. So I think anything we can do to just get people thinking about it in a 20 minute e-learning that's distributed through a learning system to every single person, that's a start, right? It gets everybody start to having the right discussions. And then I think top down support, right? So I think, you know, again, we have something that MERS called the commit rule. Again, we're a publicly traded company. You can go look at our public disclosures and see a lot more about the commit rule. But part of our commit rules, we actually have a resiliency commit rules and that's signed off by Vincent Clerk, I CEO. And he's done, I'm pretty sure through internal comms, he's done a video on it as well. So if anyone ever was questioning if this is supported by the highest levels of our organization, it is not, it's not a question, right? So I think having that mandate from the top down, and then a lot of, you know, a lot of logistics companies, you know, we're one of the very blessed ones that has a significant presence, not only at central, but out in the regions and areas. But if you're one of those that don't, or just an organization that doesn't, you gotta have a crisis management framework. Because even if you don't have everyone, all the great people that can potentially handle these things locally, or you have to have a framework signed off by everyone that when things go very wrong, who is going to get into a room and who is going to make the decisions? Because without that simple concept, it's really going to just compound your problem. And again, these disruptions, you hear about it in the straight of Hormuz a lot, right? That for every week that the, this disruption continues, it's going to back up the global supply chain by a month, right? It's the same idea within a concept. So if you don't have a framework to make decisions, every day that disruption goes on, it can take your company a week to several weeks per day to move back to regular operations. Yeah. I want to pick up on that. And it's actually alluding back to the slide you shared before as well, because on that PP, and I'm sure that's what you call it internally, it doesn't exactly roll off the tongue. But on that framework, we were also talking about minimum viable company. For the resilience function, when you have this framework that's been built out, even if it's been road tested, there's also the reality, there's a minimum viable version of this when you're in response mode, whether it be for 24 hours or it be for a week. From the experience over the last few months, what's the minimum viable version of this, that teams should be thinking about? It's a really good question. And again, as Magnus has alluded to several times, I think it changes organization by organization. I think for us, I'm going to reference something actually really funny that I think speaks to this a little bit. So in our bill of lading, in our contractual obligations with our customers, we do not tell you or commit to how we will move your product. We tell you in the bids and everything like that, but especially with the straight horn moose, we might have promised you that it was going to get from point A to point B with a vessel. It may be now going over a land bridge, because we're dropping it at Salala and then moving it somewhere else. So I think it's very important to remember that these minimal viable company, it shifts, the skeleton crew shifts and it moves along depending on where it is. So I think being aware that you can tackle these different parts of this with different solutions and making sure that those commitments to your customers are movable as much as possible. Because I think in this current crisis, none of our customers are going to be surprised if we call them and say, hey, it's going to be a week late. And we don't want to make those calls. But I think how do we prepare ourselves from a contractual obligation, as well as forming these great relationships and having a high level of communication. You can go onto the Merce public website right now, and there's customer comms available. You can reach out to the customer experience team and get regular updates. So I think having all these things doesn't define an MVC, but it continually moves it to the most appropriate spot based on the current scenario. That makes entire sense. I want to jump to some of the speaker, well, some of the questions from the chat as well, starting with Melina's. Magnus, this is in many ways for you, I think, first, but James, feel free to build on it as well. How are organizations addressing the lack of visibility across their critical supply chains? Resilience is a factor there, limited tooling, different risk appetites. But a lot of that comes down to whether or not you actually have visibility on what criticality means, alluding back to what you said before. Yeah, definitely. And that is a major gap and it's something that's quite difficult. So for us at Human Risks, when we look at kind of an asset register and the different types of assets that we try to map out in the supply chain, vendors, digital assets, buildings and everything, it is something that's extremely difficult, even for a part of the organization, which is IT, they have their CMDB, that is rarely very completed, rarely gives a very good picture of the kind of reality of the organization. So again, how do you address that? You can almost flip it around. So there's the traditional way of doing a BIA, exploring what is critical to our operations, mapping that out. That's one way of doing it. You can also flip it around. You can actually start with the exercise, start with the discussion or the simulation. And through those discussions, through those kind of micro simulations, you actually start to map out what is most critical. You'll get a cheese with a lot of holes in it. But that's another way of kind of going about this than your traditional BIA methodology. Yeah. And James, feel free to build. I've got another question for you here. Yeah, honestly, I think Magnus said it well. It really comes down to, you know, I think build out those triggers, right? So if you as a company with minimal resources work with the resources you have, define the triggers that say, we're going to move from step A to step B to step C. We're going to pivot to, you know, one, two, three, as opposed to ABC, but really work with what you have, define your triggers, work from them and be willing to pivot and change your strategy quickly. Again, I'm going to repeat myself just once, imperfect plan implemented now is better than a perfect plan implemented too late. Yeah. And James, there's another one here for you, but Magnus, I think it'll be interesting to get your perspective on this in a second as well. This is on risk quantification. Rajiv, really, really good question. How do you actually quantify a choke point? You know, down to downtime or revenue loss? When we're looking at the straight-up point moves, really, really interesting way of looking at that. You know, obviously driving a business decision comes down to whether or not you can quantify what the risk is there before it occurs. But one of the everlasting questions in the resilience space on how you actually do that and put it toe to toe with the commercial data that the firm's looking at as well. So I am not aware of a company yet that has perfect cost capture during a crisis. If someone is able to figure that out, I'm sure they will be able to make a lot of money selling this solution to companies. Because it's hard to measure it, right? Because it's not, the easy stuff is the commercial, right? So I think, you know, how do we define, I think for quantifiable for our world, it's actually quite easy in the sense that, like I said earlier, not that we don't love our landside transportation, not that it's not very important. The choke points, you got the BAM, you got the Panama Canal, the Strait of Taiwan. These go down, you have to reroute entire networks around the globe. It's not just MERSC, it's Evergreen, it's Costco, it's all these, right? So I think based geography sets some of those choke points out very clearly for us at a global scale. But I think that's what's on us as security professionals, is how do we quantify all the different impacts, right? And that's by, you know, potentially before a crisis call, you have to get together and say, what is the cost of evacuating a few hundred employees out of the country? Because it's not just getting them on planes, it's about setting them up somewhere. How do you quantify the cost of, and again, it's that classic ISO 31,000, you know, cost of temporary replacement, cost of full replacement, cost of brand impact. So I mean, some of it is simply not quantifiable, but it doesn't mean it's not that there can be best estimates made. And a cost capture exercise, I think is part of the debrief, as well as the after action report, because it shows where we could get better in the future. But it also shows where sometimes when we make the decision, we're thinking, oh, this is actually the best decision, because it's going to minimize costs. And it's like, well, actually, long term, that's going to have significant, you know, 10, 20 times the cost. So it's really, it's a tough one. I'll be honest, if we had a perfect answer, I think we'd all be more successful in sometimes making our business case. Because what you'll see also in these crises is the senior operators and senior leaders will say, if we just had a little bit more information, we can make this decision. And unfortunately, we have to be blunt in those situations and say, you're not going to get that information. We all we, you know, and this is not specific to MERS. Operators might ask you something that not on an intelligence perspective, that not the most well funded intelligence organizations working for governments have the answer to. If they don't have an answer, we're most likely not going to have an answer either. So how do we, how do we kind of force the conversation along, give our best estimates on cost capture. And then also remember that, you know, sometimes we have to prioritize people's safety, even outside of significant cost is, I mean, we always do, right. So it's, it's this weird balance that I think there's not an exact formula for, but capturing the cost before we get into those crisis management teams can help drive better decision making. I've got two more for you both. And we will need to have to treat these as a little bit quick fire because the, you know, as we need to start to wrap up, but both very pertinent. Magnus, starting with yourself, and let's just do 30 seconds around the room, I think, for each of these. What does good look like in terms of the relationship between business continuity, security, procurement, and the commercial teams? Because the, the reality is that it can be very easy for them to become siloed. And to be honest, when we're all working online and sitting in living rooms, for example, you can't just walk across the office and have that conversation in quite the same way that you might have been able to use to. Yeah. Yeah. I mean, good looks like, and that's again, very different from organization to organization, but I think good looks like a conversation, at least a strong relationship, a dialogue between resilience and other parts of the organization, not only commercial. I think there's, of course, there's a point where the resilience capabilities of an organization also is not only a, and security is not only a cost center, but also a commercial driver. And that's, that helps those conversations. I think Maersk has done a great job of like kind of having a resilience offering within their business that is of value to their customers. So I think like, as soon as you start having that discussion in relationship with it, we'll, we'll, we'll strengthen. Real quick, because we had kind of already said it, procurement, who's your most important vendors, build your resilience plans together. Don't do them siloed. And then skeleton or MVC, however you want to say it, prioritize those first. Commercial, Magnus said extremely well. Resilience and security is no longer an added benefit. It's a requirement. It's kind of the license to operate now. So for me, and it's also about, I think there's a strong piece that we haven't touched on here as well, is that how much competitor behavior determines how companies act during a crisis, right? So a lot of these companies, especially in the straight of our members, aren't just looking to what governments are saying. They're looking to what their competitors are doing. So, and I think with resiliency, I think it's always an interesting conversation with customers because we have, we always want to support them, but we always have to be very honest as well, because we're not going to hand over our global resilience strategy or business continuity strategy because, and we don't blame our customers for this, but they might take that and go present it to our competitors and say, well, Maersk is offering this, what can you do? And then they make strategic moves to outplay us based on those. So I think we always, like Magnus said, we use that as part of our commercial desire, but we have to be careful about how much we lay out in the world because it is a competitive capitalistic market. And as one final point, and this, for this one really, you know, a quick thought from you both. To make this practical and very personal for a second, because all three of us have worked in the industry and, you know, you've been managing crises over the last few months, James. What's one of the ways of working that you bring or that you see work really, really well from a personal practitioner perspective? It's something that people do differently that actually makes them more effective as a resilience leader. So again, I'm actually going to steal something from my peer, who's the head of crisis management and business resilience, because I'm going to steal her work, because she's our, she is the best at this. And then our global head of intelligence also is the crisis management teams get all the key stakeholders in the room, right? But I think also, what are you doing outside of those rooms? So I think having these conversations to help people, you don't want to get into long detailed descriptions, discussions in these very important time sensitive meetings about one little aspect. So how do you, and this is something that our, our crisis management, uh, head of crisis manager does, Nicola is, I think she has a WhatsApp chat with every single C-suite and person in our company and head of, and head of business. And they're consistently talking even outside of these calls and they're presenting, they're bouncing ideas off of each other. They're, they're getting their opinions. They're politely pushing each other to think differently so that when we get to these rooms where all the important people are in it and the decision needs to be made, we're not wasting our time with these potentials or kind of ideas that need to be washed out before the big conversation. So I think it's not, it's how do you go and have these pre preemptive conversations before you get to the one that were the decisions really need made. And I think that's something Nicola does extremely well. And Magnus? Yeah, really quickly, I think, stop mapping your critical assets and then I will say, under document and over exercise. That's what you should do. Fantastic. Thank you very much both. And just on a final note, and just to share something from us and the team here at Human Risks. Thank you, first of all, for everyone who's joined us and taking the time to join us today. We do want to share a playbook with you that we're actually publishing in the next few days on bridging the resiliency gap. If you would like to take the chance to read it first, I believe Stella has just put the link in the chat and will be launching tomorrow. The paper explores how to close the gap between compliance driven programs and general operational continuity. So, you know, very much built around the actual frameworks that we've been discussing here today on planning, executing and reporting, but also some of the leadership requirements and considerations that teams need to be taking when we're talking about things like CER, as Magnus just mentioned before, as well as NIST 2, DORA and some of the other things there. So, if you'd be interested in reading it and seeing that before it's published over the next few days, then click the link in the chat and take a download. As well as that, if you are happy to stay behind for 30 seconds and answer a short survey, it'd be fantastic to hear from you, as we, you know, very much the intent from us is to bring experts like James to share some of the perspectives and some of the best practice learnings that we can see across the industry. And lastly, if you'd like to book a demo with us to connect with the Human Risks team, then Stella's just put a link in the chat there as well. So, very, very keen to hear from you, very, very keen to connect. We have the pleasure of working with the team at Maersk and many organisations across Europe as looking at some of the thorny issues and framework questions that we've been discussing today. So, very, very interested in hearing from you and being able to share what we're able to see. But thank gents. I think that's us. Thank you very much for joining us again. James, Magnus, it's been a pleasure. In particular, James, thank you for joining us and sharing some of the expertise and and things that you've seen on the ground over the last few months. And to all the audience, thank you very much for joining us and have a fantastic day. Thank you so much. Thank you so much.