Crisis management: how to plan for the unknown

Get free weekly news by e-mailBy Andrew Fernandes.

One of the clear lessons that needs to be learned from the many and varied crises and disasters that the world has seen since the start of the new millennium is that it is not possible to predict every incident that will impact your company. This makes scenario-based business continuity planning a risky activity in its own right! And such an approach will lead to a false sense of security.

Whilst incidents can be categorized by type and prepared for via scenario-based methods, it is equally (or maybe more) important to be able to quickly and competently deal with the unexpected crisis that suddenly occurs out of the blue.

So, as business continuity planners, how do we deal with a novel or unexpected incident, especially when there in nothing in the text books or existing methodologies to provide guidance? The answer is to have a well chosen, highly trained, frequently exercised crisis management team, coupled with strong and clear crisis management plans.

In this white paper, I would like to share some of the practical aspects of what every planner should think about putting in place, as part of the crisis management process.

As we all know, an incident can be anything that has the potential to cause a business interruption. IF the incident cannot be resolved, then it becomes a CRISIS. A crisis is THE incident that causes a business interruption.

In order to deal with the unknown, a two phased planning approach is necessary:

Phase 1 – Pre planning (Risk assessment and mitigation)
Phase 2 – Crisis assessment and management planning (Incident resolution)

Phase 1 – Pre planning (Risk assessment and mitigation)
The pre-planning stage follows the usual business continuity development cycle, which has been developed over time and ratified by bodies such as the Business Continuity Institute and the Disaster Recovery Institute International. However, the documentation available to explain how to develop a business continuity plan can be fairly extensive. My simplified version is as follows:

Step one KNOW your risks!! Risk is a very broad term, but here is a very simple way of breaking it down into bite sized pieces:

* Get your senior management team into a room;
* Identify all risks (internal and external) that can potentially impact your organization;
* Group ALL known risks into two categories – high probability, low probability;
* Assign downtime tolerance against each probability (Downtime should be restricted to three timelines: less than one business day, 1-2 business days, 2-7 business days);
* Identify the potential impact of a risk event on the business – high or low (notice there is no medium!).

Step two – ALL high probability risks should have a LOW impact. If NOT, your business is really in dangerous waters!! If any high probability risks turn out to have a high impact, then it is very important that an operational solution is put in place absolutely as soon as possible.

Step three – Get management prioritization for low probability/high impact risks, to ensure that as a business there is a clear consensus on what business continuity activities should focus on. Not sure where to start? Concentrate on the top three unaddressed risks with the highest impact.

Phase 2 – Crisis assessment and management planning (Incident resolution)
For starters, the crisis will need to be managed either by location and/or by business function and to manage it the team must be predefined and members must be clear about their roles. A crisis management team needs the following to be in place to be effective:

Role one: There must be clearly identified ‘assessors’ (along with back-ups to these people) whose sole mission is to be able to assess the business interruption impact and provide feedback to the incident management team.

The assessor is the eyes and ears of the business and clearly needs to have the expertise to understand and assess the impact to the infrastructure and people. Assessors typically represent functions such as HR, Security EHS, and Operations. Based on the size of the organization, they can perform their functions individually or as a group. If they work as a group, they would typically form the ‘Site Response Team’. Their core responsibilities are to:

* Analyze and assess incidents.
* Resolve incidents; and if no resolution is possible immediately, to escalate.
* Provide recommendations.
* Execute actions to facilitate the return to a state of normality.
* Coordinate the return to normal operations once the threat has been concluded.
* Initiate a post incident review to provide feedback - what went well/what did not work, areas for improvement etc.

Role two: Identify a group of senior executives whose role is to receive the feedback provided by the assessors. Depending on the size of the organization this can be one individual or more, or a group of individuals. Either way their role is to perform crisis management and hence they are what we typically know as the crisis management team.

This team or individual (s) are authorized to approve recommendations given and are mainly involved in the crisis management process because they have their finger on the pulse of the business and can gauge the impact that the interruption will cause to the organization and business activities in general. Core responsibilities for this team or individual(s) are:
* Provide guidance to the assessors.
* Receive recommendations and provide approval and direction.
* Be accountable for the direction provided.

Role three: Irrespective of the size of the organization, you must have a person designated to drive internal and, if required, external communication efforts. One of the fundamental flaws in many crisis responses is that an overdose of information is provided but with no real focus to the communication. Effective and proactive communication will create and build the perception that the organization is under control; that the company knows and understands what is happening; and that it will resolve the situation. No matter how big or small an organization, creditability can be gained or lost during a crisis.

For an organization that has multiple sites, or multiple locations, replicate the above process. Remember you must have eyes and ears on the ground. Speed is of the essence. Some points to consider are:

* If you have a cluster of buildings that is considered one site, your team needs to decide whether they need to have an assessor per building or per site;
* If you have sites in different locations/cities you must have a separate site response team. You may be able to work with one crisis management team as long as the site leads are part of the crisis management team.
* If you have sites in multiple countries, and regions, it is strongly recommended that you have regional crisis management teams and country specific response teams.

Andrew Fernandez is a certified business continuity practitioner with 10+ year’s hands-on experience in business continuity and process improvements. He is currently employed by Dell Inc, USA as Manager- global business continuity

Date: 29th Sept 2006 • Region: US/World Type: Article •Topic: Crisis management
Rate this article or make a comment - click here

Copyright 2010 Portal Publishing LtdPrivacy policyContact usSite mapNavigation help