|
 Harvey
Fawcett conducts a risk assessment of the crisis communications
methods available to businesses.
In the immediate aftermath of a business threatening
event, an organisation needs to invoke its business continuity plans
and organise the recovery. Communicating ‘immediate actions’
and important information are vital to the overall success of the
process. This stage is a critical choke point and an organisation
should carry out a specific risk assessment on its ability to effectively
communicate on a large scale in a short time frame.
There are a number of methods and systems that
can be deployed in order to address this critical issue, each with
specific risks.
The traditional method of communicating rapidly
with large numbers of people is the so called ‘manual cascade’,
where a message is relayed in a sequential fashion from person to
person. For example, one person may call three; that three then
call six; and so on.
Manual cascade - risks
Risks associated with this method are as follows:
The message not getting through
Manual cascades are notoriously slow. People unfamiliar with the
dynamics of manual cascades often drastically underestimate the
amount of time needed to contact people. Even assuming that all
contact numbers are correct, everyone answers the call immediately,
and no one person is ever out of contact, the time taken to contact
even small numbers of people is usually measured in hours not minutes.
The message becoming distorted
Most people are familiar with the ‘Send three and fourpence
we are going to a dance’ story where a simple message was
passed on sequentially through a manual cascade but the output did
not match the input. Manual cascades, whatever modern communication
technology is used, are subject to the same issues of distortion,
misinterpretation and confusion. Stress and language differences
often colour a person’s perception of a message and the context
in which it is delivered.
The message becoming out of date before
it is completely disseminated
Because of the ponderous nature of manual cascades there is a significant
risk of any given message being out of date by the time it is successfully
delivered. Crises by their very nature are dynamic events, and effective
command and control relies on rapid communication. The lack of dynamism
in manual cascades are a significant constraining factor.
Lack of control
Like ripples on the surface of a pond, once a manual cascade utilising
multiple levels is started, the ripples can only go outwards. If
the message needs to be changed, updated or stopped, it simply cannot
be done effectively with this method.
Lack of management information
Who has got the message? Which message have they got? And what are
they doing about it? Are typical questions. Manual cascades cannot
effectively deliver answers to these questions. In the aftermath
of an incident, critical information on which to base an improvement
process is at best anecdotal and at worst just not available.
Uncontrolled information and reactions
Even in a highly disciplined environment, control over the direction
of information flow is practically impossible. People naturally
want to know what is going on and to help. This results in informal
cascades taking place that cut across organisational divides. Apart
from creating a problem of ‘who knows what and when’,
this cross group calling effect drastically decreases the effectiveness
of the cascade, because it means that people are ‘chattering’
and consequently unavailable for the correct incoming message.
Information being out of date
In a pyramid cascade, it is assumed that everyone has the correct
contact information for their own sub group. Contact details change
frequently and, because this information needs to be communicated
to multiple groups, it creates a document control and issue problem.
Manual cascades also rely on people actually being in possession
of their ‘calling cards’. Again, this is impossible
to enforce and manage. The higher up the chain a person is, the
more significant a problem it will create, should they not have
this information to hand.
In summary, there are significant risks associated
with relying on manual cascades for effective crisis information
delivery. Recognition of these risks has created the need for both
equipment vendors and customers to seek technological solutions
in order to address them.
Automated systems - risks
Business continuity, risk management and emergency planning practitioners
have realised that they can deploy technology to address the shortcomings
of manual cascades, but in turn these systems also create their
own significant risks which should also be carefully assessed.
There are many excellent technology systems
on the market from a number of equipment vendors, but deployment
of these systems also has inherent risks as described below:
Resilience
If technology is being relied upon to deliver an absolutely critical
element of an organisation’s recovery capability, resilience
risk should be at the top of the list. Real resilience is more than
having redundant disk arrays. The following questions should be
asked:
• Location. Is it sited in an area or building that may actually
be part of the crisis?
• Can members of the recovery team access the equipment 24
hours a day and from any location?
• If remote access technology is used to access the equipment,
is this dependant on other technology systems? Ask the same resilience
risk questions about this access technology.
• Is equipment maintained on a 24 hour basis? If so what is
the response time?
• What do maintenance agreements cover? For example, do they
provide for complete duplicate hardware replacement and software/data
restore? Read the small print.
• What happens if the telecommunication feeds to the system
are lost? Are redundant carriers available? If so, is this transition
automatic or does it require IT support? Is this support available
on a 24 hours a day basis?
• What happens if the whole site, equipment and telecommunication
feeds are lost? Are duplicates available?
• If duplicate facilities are available, are they activated
automatically or do they require IT support?
• Do duplicate facilities support real time data mirroring,
or do lengthy backup procedures need to be invoked?
• If the system can only be used by certain individuals can
their availability be assured?
The simplest way to assess risk associated
with technology solutions is to ask the simple question: “what
if this element failed” then ask the same question at 3 o’clock
on a Sunday morning.
Ease of use
It is a simple fact that crises do not happen every day. Whilst
most people can achieve basic levels of proficiency in software
applications with training, only with regular use can applications
be mastered. Regular use of crisis communications technology is
not likely in most organisations. In the heightened stress situation
of a real event, can users be guaranteed to use applications to
a level of proficiency that does not introduce risk?
Security
Automated systems are tremendously powerful, able to deliver messages
rapidly to large numbers of people. Systems must be protected against
accidental and malicious use. Security risk assessments should include
access to both the equipment and the data held on it. Access should
be restricted to only competent and authorised personnel but should
not be too restrictive as this can also create issues with too few
people having access. If access to systems is controlled with multi
level passwords alone, an area of potential security risk is introduced.
Easy to remember passwords are also easy to guess; complex passwords
are secure but hard to remember and tend to be written down. If
hosted solutions are used, does the hosting company operate a recognised
information security management standard such as the BS7799?
Information security for the purposes of the
BS 7799 standard is defined as the preservation of confidentiality,
integrity and availability
BS 7799 Part 1 covers the following areas of
management control:
• Information security policy
• Organisational security
• Asset classification and control
• Personnel security
• Physical and environmental security
• Communications and operations management
• Access control
• Systems development and maintenance
• Business continuity management
• Compliance.
Keeping information up to date
Automated systems are only as good as the information they contain.
Maintenance of contact data should not be underestimated, and suitable
control systems implemented to ensure that updates to recipients’
contact data are mirrored onto the system in a timely fashion.
Accidental or malicious callout
No matter what type of automated system is deployed, there is always
a risk of accidental or malicious callouts. Because of the rapidity
of message throughput of automated systems the consequences of such
an event are significant and sufficient planning and risk treatment
should be applied to the issues of prevention, dealing with the
consequences and recovering back to a stable state.
Summary
Whilst the risks attached to the use of manual cascade systems are
obvious in their significance, it has been proven that deployment
of automated systems can address and solve many of these. Yet it
must be taken into account that automated systems introduce a completely
new set of risks related to the management and operation of the
technology.
Harvey Fawcett is operations director of
247i Limited.
247i has developed 247i Messenger, a solution
which comprehensively addresses both sets of risk issues identified
above by delivering a fully managed crisis communication service
with unrivalled resilience, capacity, ease of use, information management
and security. For further information please contact Alan Lloyd,
commercial director, tel : +44 (0) 870 990 9816 email : alan.lloyd@247i.co.uk
•Date:
23rd April 2004 •Region: UK/World •Type:
Article •Topic: Crisis
communications
Rate this article or
make a comment - click
here |
