Preparing for a Crisis
New security challenges alongside a recession create interesting tensions. Constraints are likely to persist, ‘green shoots’ notwithstanding. No organisation can face multifaceted security challenges without planning for a time when security fails, that is, a ‘crisis’. However, if reduced security spending lowers the threshold at which events cannot be controlled by business-as-usual security, then the organisation could be in ‘crisis mode’ more often than it expects.
Ideally, crisis planning is about events so unlikely that big expenditure on security measures to prevent them is unnecessary. Planning can then focus on process, information, communication, decision making, and continuity. However, if security is not applied routinely against areas of predictable risk, because of insufficient analysis or money, then a ‘predictable crisis’ could occur. Either way, crisis planning and exercising, even if only (or perhaps especially) at ‘table top’ level, are essential weapons in the fight to survive a crisis.
Definition of a Crisis
Definitions of a crisis vary, but the component parts might be:
- An event threatening severe negative impact on operations, finances or reputation.
- Causing serious harm to employees, communities or customers.
- Generating adverse public or governmental scrutiny.
To help, we have two pending British Standards:
- At the higher level is BS65000 (Organisational Resilience) with the first draft expected soon. The following is stolen from London First’s and CSSC’s recent announcement:
Although there is no definition yet, it will deal with: ‘capabilities’ such as anticipation and recovery; ‘activities’ such as horizon scanning and contingency planning; ‘attributes’ including decision making and organisational culture; and ‘principles’ focusing on core values, behaviours, leadership and managerial commitment.
- At a second level is the draft BS11200 (Crisis Management: Guidance and Good Practice). It defines a crisis simply and effectively as an ‘abnormal and unstable situation threatening an organisation’s strategic objectives, reputation or viability’.
A crisis is ‘not manageable within BCM procedures’, ‘extraordinary’, ‘unique’, ‘rare’, and ‘a surprise’.
These descriptions encapsulate the nature of a crisis and point to the approach needed to survive it. What follows is a guide on how to grapple with it.
Crisis Management Policy
Policies and procedures need to be robust, frequently tested, the results evaluated and changes implemented.
A headline policy might be:
- Crisis Management (CM) protects our people, stakeholders, workplaces, IT, communications, supplies, and the continuity of our business, from major events that seriously threaten us.
- A crisis management plan (CMP) must be designed, communicated and tested by each division and subsidiary, in line with company crisis management and risk management doctrine.
- Our CMP exists in close partnership with our security plans and business continuity plans (BCP), and one cannot be invoked without understanding the others. Every member of the company is expected to know their own role in the CMP and how it fits with that of their department.
Crisis management structure
A company needs formal but flexible structures to manage crises. Depending on how the business is constituted, a corporate crisis team might provide strategic oversight, or directly manage a crisis affecting the future of the whole organisation; in the latter case the head of the company might personally manage the crisis.
CM teams at functional and regional levels would make decisions relevant to a business line or region, and interface with other affected parts of the business and individual country crisis teams. A country crisis could be handled locally with oversight at regional level. A crisis in a manufacturing plant might be handled by the business line at its own various levels, with oversight by the regional team.
Preparation for a crisis
Flexibility, however, does not mean ‘decide on the night’. Scenario based rehearsals of the various possibilities are crucial to success and survival. Reaching the stage where rehearsals and exercises add value needs a disciplined approach.
Note that an exercise can also be highly useful as a first step, where a company realises its plans are weak, or do not reflect recent mergers, acquisitions, or changed business lines and practices. It might also work when one part of the business (often IT, security, HR or business continuity) believes a shortfall exists, but needs to demonstrate the risks in order to convince wider management. If carefully, and honestly and objectively, designed with participants chosen from senior people in the business lines and countries likely to be affected by a crisis, and supported by the infrastructure departments whose services are likely to be called upon, an exercise of that sort can work wonders. It can shine a powerful spotlight on what could cause a crisis, what could go seriously wrong, and how revenue streams and reputation could evaporate along with the lives and livelihoods of the people for whom the business is accountable.
However, a preliminary exercise is not a substitute for what comes later, that is, plans that build in regular training and rehearsal.
The start point of designing a plan is a business impact analysis (BIA). The BIA is often seen as the province of business continuity management (BCM), but the author’s view is that all parts of the resilience cycle start with a BIA, including a CMP. If protection measures do not reflect the risks faced by the business – all risks, not just ‘security’ risks – then it is hard for security to explain with a straight face why they are there.
This is not the place to describe a BIA, CMP or BCP, or to justify the author’s view that a BCP is best invoked via a CMP. However, here are some outcomes that are often missed:
- Testing and training: should be included in a CMP, with dates, as well as allowing for surprise exercises.
- Public safety: the best exercises include stakeholders, if only as observers, as well as sister organisations, suppliers, distributors, and regulators. A key component is often the public safety services that need to know how you will call on them, and how your plans might conflict with theirs.
- Metrics: preparedness for a crisis relies on data; not just where people are or might go, and which processes might be affected, but also knowing, for example, who has not renewed their plans in line with policy, who has not been trained, or who has not been allocated roles in line with their CMP. A metrics process should capture this data routinely.
- Focus on business-as-usual (BAU) as the final outcome of a CMP: the resilience cycle chart shows security as the pivot, and describes it as BAU and as the start and end state. A CMP needs to deliver and train to that normality, or it will be incomplete.
Crisis Management Exercises
The most important element of an exercise is to have it! Planning is important but there is no need to over-plan. It is better for stakeholders to see the company as it is, dealing with lessons learned, than to have them sit through a staged success. Provided the exercise does not itself become a disaster zone, the stakeholder is drawn into becoming part of the solution.
If we accept the BS11200 description of a crisis, scenarios can be almost anything provided they challenge decision makers and test plans. If BAU security falls short of the standard’s threshold for a crisis (‘abnormal’, ‘not resolvable through pre-defined plans’), then the scenarios are better selected as an outcome of the risk assessment, and by definition the risk acceptance, process. Otherwise there is nothing wrong with the stalwarts of ‘loss of critical building’, ‘terrorism’, or ‘pandemic’. These three offer different perspectives, and can be channelled in various directions. They also offer stories that are ‘instant’ vs ‘slow burning’, global vs regional and local, or full resilience cycle vs quick return to BAU.
Table top exercises (TTX)
If forced to choose, live exercises (LivEx) should make way for TTX. Having both is preferable but, staying with BS11200, communication, decision making and coordination of valid responses are crucial to surviving the unexpected, and it is hard to run a LivEx around the extraordinary.
The following is a general guide to a TTX.
- Precede it with a training session (can be e-training or virtual).
- The TTX should focus on decision making, including incident management, CM, BCM, security, and return to BAU.
- Good themes are people, products and processes. Good issues are supply lines, IT and communications.
- Using real CM facilities, participants can work from their own countries; similarly, the TTX can be multi-regional or global, without commensurate escalation of resource.
- Pressure on participants comes from selection of best options, not from volume or speed of activity.
- An example chief scenario might be a build-up to international conflict or disaster, the conflict or disaster itself, and return to normality.
- If there are limited resources or experience, commission a specialist firm to plan and run the TTX entirely or, better, to embed a specialist temporarily in order to understand gaps and requirements, design an exercise around them, and harness the organisation’s resources to run it under supervision. In this way the company’s HR controls the HR elements, the IT controls IT, and the key business lines likewise.
- CM room for local participants and a control room for TTX controllers and observers.
- Ensure good IT connections and communications.
- Consider CCTV / audio so the control room can observe the CM room remotely.
- Have exercise ‘BBC’ type input into the CM room.
- For people participating remotely, consider WebEx type links.
Finally, lessons learned (LL) are vital, and the TTX should build in participant wash-ups and longer-term post-exercise analysis, supported by implementation metrics. Here is a list of common LL:
- Planning and readiness during BAU are essential.
- Develop Company relationships and mutual support inter-country and intra-region.
- Develop relationships between the Company and distributors, manufacturers, and suppliers.
- Include suppliers’ roles in crisis plans : e.g. utilities, security, building restoration, and salvage or restoration of critical resources and documents.
- Include staff welfare, payments, and communications in crisis plans.
- Design effective processes to sustain CM teams; prepare a shift or ‘follow-the-sun’ system. People need to sleep.
- Have prepared crisis management rooms, and alternatives, at regional and country levels.
Especially: have fun.
Director of Risk and Information services Pilgrims Group