Planning to fail?

Updated: Dec 13, 2018



So, is your organisation planning to fail? Or only failing to plan for crises? Most organisations would emphatically state that they are not planning to fail, however, as this article will illustrate, if the organisation is failing to prepare for a crisis then the outcome could well be the same.

Planning for a crisis isn't about the doomsday scenario, but about ensuring organisations seize the opportunity presented in a crisis and create a more resilient body: one that is both responsive, alert to future challenges and able to deliver to the customer, the stakeholder and meet shareholder expectations.

There are 10 critical aspects relating to crisis management: -

1. Sponsorship - senior executive engagement is critical to a successful crisis programme.

2. Definition - Defining crisis, what it means and how the organisation should respond.

3. Training - Train people, crisis leadership is not innate, most leaders have tried to avoid it so many will have limited experience.

4. Leadership - Must be with ownership and humanity, so too must the communications (both internally and externally).

5. Clarity - assigning roles and responsibility is critical

6. Assess the crisis - Situation, Information, Thoughts, Actions, Communication.

7. Protect - People, brand and reputation.

8. Respond - Consistently and at the speed of the incident, not that of the organisation.

9. Recover - As quickly as possible in line with the recovery time objectives.

10. Debrief – Learn and improve ready for next time.

These aspects were confirmed and underlined across numerous industries during a recent panel discussion I moderated covering crisis management and communications. The debate considered the impact of current high profile operational incidents, terrorism and cyber attacks and how organisations could best prepare and respond to the ever-changing risk and threat landscape.

They are also in line with a recent industry survey, where 46% identified lack of senior management buy-in and support as the most significant challenge to efficiently prepare their organisation for a crisis.

Buy In

Without support at a level that is senior enough and from an individual who has both the motivation and the political capital to support the project, it is unlikely to succeed. Articulating the benefits to stakeholders of a comprehensive programme including horizon scanning and exercising is vital to gaining buy-in and engagement. Commonly realised gains include increased efficiency and cost-savings through avoiding or pre-preparing for incidents, better cross-functional working, greater empowerment and motivation of staff.

Crisis what crisis?

One may think that defining this would be a relatively simple task. Anyone dealing with either business continuity management or crisis management in a corporate environment has probably come across statements such as "We handle crises every day?” or "I will know it when I see it".

We've seen many high-profile examples of crisis management in action recently. What becomes apparent is the responses of those well-drilled in crisis response, usually displaying slick actions, being efficient and instilling confidence in those around them. What is equally clear is the responses from those whose crisis management protocols fall short of expected standards. One has only to look at the 2017 case studies of British Airways or United Airlines and their respective crisis communications as examples negatively affecting both brand reputation and shareholder value.

One dictionary meaning of crisis is a "time when a difficult or important decision must be made; the situation has reached crisis point."

This definition primarily revolves around what constitutes a crisis and what sets it apart from a routine emergency. An element of pre-planning and mitigation can usually be put in place in relation to a routine emergency, due to the likelihood or predictability of that scenario occurring. Although still challenging, routine means some element of predictability allowing for advanced preparation.

One could see a crisis as being at the edges of a storm; you can be so busy dealing with the initial effects that you do not stand back to see the whole picture revealing that you are just in the eye of the storm. If you don’t stand back, how do you know you have reached and dealt with the end of the crisis?

We should be mindful that what is a crisis for one industry could well be business as usual for another. Having people in harm's way is what news media do regularly, but for the majority of businesses, this could indicate a crisis. Equally, what looks like a crisis for one department may not even raise pulses in another. Therefore a formal, aligned and agreed definition adequately documented within company policy is vital.

Preparation - Team Structure, Roles and Responsibilities, Exercise

Those slick teams mentioned previously, didn’t get that way by accident. They prepared… a lot. In addition to their knowledge on processes and operations, members knew their roles and responsibilities. Without this forethought, dealing with even routine emergencies can be unnecessarily challenging.

Practice, Practice, Practice

Crises can affect organisations both directly and indirectly, as we have seen from instances as wide-ranging as terrorism, natural disasters, and operational emergencies. Many people, myself included, have dealt with those types of scenarios in a corporate environment; however, others across different parts of your organisation will not have, and even those experienced in each crisis type will acknowledge that seemingly similar crises present various new and unique challenges.

Some skills are learned, others are innate... Crisis management and the teamwork needed for a successful outcome require practice, and that means testing the process together. It is critical that people understand their roles, and responsibilities, but are also ready to get involved with other requirements which might not be immediately apparent other than in a crisis or during an exercise i.e. how do we prepare people for the unexpected? One cannot know if the organisation is resilient until it is tested.

Desktop exercises allow any flaws in the plan, documentation or often existing business processes to be understood while the opportunity to rectify them is there. Having facilitated exercises where the person responsible for the documentation is "100% certain" it is up to date, only to find incorrect phone numbers, or that someone left the business a year ago, is humorous during an exercise, but not funny when lives or the company are at stake.

Responsibilities, Roles and Clarity

Keeping the strategic core team small enough to be efficient in decision-making and broad enough to cover core business is an important step. People or departments not included initially can be brought in as required. Defining who is overall responsible at Strategic, Tactical and Operational levels (also often referred to as gold, silver and bronze levels) should usually follow existing departmental and organisational lines, with precise definitions of relevant considerations being outlined per department. Pre-defining this also saves time during any incident.

Assessing the Crisis

A mnemonic I have used for many years is SITAC:

Situation – What’s happened? Where? Who’s involved? Who’s nearby? Can we account for our team?

Information - What do we know? What don’t we know? How will we fill in the blanks? You will rarely have all the facts

Thoughts - of the Strategic, Tactical or Operational teams (both within the organisation and external advisors such as the Emergency Services).

Actions - What do we need to decide? What do we need to act on? By when? By Who?

Communications - How often? To whom? Consider both internal and external stakeholders, What and when will we communicate to different populations?

Everything must be documented comprehensively; it may be required post-event for internal organisational debriefs or legal/regulatory actions.

Organisations should review pre-scheduled marketing communications that are due to go out via social media. Such communications are often a source of embarrassment, when what had been perfectly acceptable becomes unacceptable due to a specific crisis topic. British Airways, United Airlines and GCHQ have all fallen foul of this during a crisis.

Protection

People, brand and reputation are amongst the most vital aspects to consider relating to both crisis and routine emergencies. People (from employees to the public) have to be at the heart of all discussions and decisions.

Response

Any response must always be at the speed of the incident, and not at the speed of the organisation. Some organisations will need to become quicker at decision making, while others will be required to pause and ensure they have adequate information and have considered the situation. Social media will often accelerate that speed particularly in relation to PR and communications.

Recover

If adequate planning has occurred before any crisis, priorities will be understood across the business enabling responses that match with and are focused on recovery time objectives.

Debrief

How do you improve, if you don't identify what went well and what needs improvement? Remember those slick teams I mentioned? Debriefing is fundamental to their success - make it an essential part of your crisis management team’s success.


If you're a CEO, COO or other Senior Executive accountable for considering how to deliver crisis management to your organisation, or how to create a business continuity plan. Please contact us info@enterprisesecurityrisk.com

#ESRM #Crisis Management

#EventSecurity #CrisisLeadership #CrisisCommunication #CrisisManagement #ESRM #Terrorism #businesscontinuity #businesscontinuitymanagement

Website and content © of Enterprise Security Risk Management Limited. Created by IT@enterprisesecurityrisk.com. ESR logo is a registered TM.

Global Cyber Alliance DMARC Cyber Security
Global Cyber Alliance DMARC Cyber Security