Disruption case study: Maya Buchanan

Maya Buchanan - Director of Global Governance, NCC Group

NCC Group is a global cyber security and resilience expert, headquartered in the UK with offices in 12 countries. I joined NCC Group approximately 18 months ago as Director of its Global Governance function, which includes internal audit, legal, compliance and standards (e.g., ISO; and FEDRAMP compliance), data protection governance, information security and health and safety.

Almost immediately after I started, we were faced with the Covid pandemic.

Due to the nature of our work and the way in which we have traditionally delivered our services, many of our colleagues carry out projects while on customer sites across the globe.

As soon as events started to unfold in China in January 2020, we used our expense and scheduling systems to begin to identify where our colleagues were located, whether they were safe and, where possible, they were repatriated. In addition, we were able to access intelligence which supported rapidly monitoring changes to regional Covid rules.

Our primary concerns were colleague safety and ensuring business continuity – could we serve our customers while safeguarding our colleagues?

We anticipated lockdowns and started exploring ways to move all of our traditionally office-based teams to remote working in early February. We even managed to conduct ‘move to remote’ practice runs to support colleague anxiety and to check that the systems adopted would work and/or be rectified, prior to lockdowns being implemented.

Our next consideration was to maintain our support to our customers. Our functional teams were able to collaborate with customers and implement secure methods of working to deliver their services without physically visiting clients – thus safeguarding our colleagues and their employees.

Preparing early enabled us to maintain the corporate decision-making processes so that all our Board and committee meetings were able to continue as normal (although remotely) throughout the crisis. There was no “push down” of responsibility and the executive committee remained accountable for business-as-usual responsibilities as well as pandemic-related issues.

My role was challenging because I was new, however we had robust intelligence from our global operations and an excellent Executive Support Steering Group. We used data from our Asian operations to prepare before our offices in Europe and North America were affected. Once we activated the Group’s business response plan, the key was to anticipate and reassure. We planned for many outcomes and worked with scenarios, drawing on expertise from the whole business.

As we moved through local lockdowns, it became evident that it was impossible to manage every office centrally – the situations were completely different – so we established a working group for office opening, which met twice a week and drew on local updates and guidance.

The major challenge was that the crisis was unprecedented – we couldn’t seek advice from anyone with previous experience of a pandemic. And it was different for everyone depending on their circumstances and where they were working.

As someone who believes in efficiency and consistency of controls, I realised that we couldn’t manage everything from the centre. However, it led to a positive consequence that we empowered colleagues to come up with solutions that reflected their individual needs and situations – e.g., local guidance.

An example of a new process introduced was the “permit to work” scheme. We adapted the type of permits primarily used on industrial sites and developed a checklist, which had to be completed in the event that a colleague had to visit a client site. Specifically, the permit to work questioned the procedures implemented by clients to safeguard our colleagues and to ascertain whether it was appropriate to attend a customer site. This has been so successful that we plan to maintain the procedure going forward to ensure the health, safety and wellbeing of our colleagues.

An internal audit specific challenge was the introduction of remote auditing and gaining access to hardcopy data. This methodology quickly enabled the internal audit team to identify manual processes and supported the business in identifying ways to automate these. Consequently, the data is now more accessible and more transparent and is supporting the use of data analytics.

For me, the pandemic has reinforced the importance of really listening to people to create a shared understanding. This is the only way to get a successful outcome even in the midst of a disaster.

It’s also taught me that a one-size-fits-all approach fits no one. We created a system of “freedom within a local framework” and empowered local champions to make decisions. We provided control templates along with colleague information packs that were specific to different locations to accompany the permit-to-work scheme. As a consequence, we have forged closer relationships with colleagues around the world.

The pandemic will have long-term effects – people will be dealing with bereavement and ongoing health issues and will have changed their priorities. When it starts to draw to a close, we will do a formal reflection exercise, but, at the moment, we’re still evolving our responses. It is only by learning lessons and using these to inform our response plans that we can prepare for the next crisis.


In partnership with: