Organisations today face ever increasing challenges that require a strategic, adaptive and timely response in order to preserve business continuity and mitigate reputational damage.
The connected nature of IT systems mean that cyber threats are ever-present and no organisation is safe from attack by both state and non-state actors either for political or financial gains. Natural disasters, political conflict, insider threats and terrorist attacks are issues that all types of organisation must develop capability and competence in dealing against. Social media adds to the need to respond quickly and thoughtfully and its considered usage is a key factor in de-escalation and business continuity. Communication is the key to managing a brand or reputation during a crisis or emergency.
A structured approach to crisis management is required by developing a crisis management framework from a set of principles. Security and resilience are then driven by considered processes. ISO22301 is the International Standard for implementing and maintaining effective business continuity plans, systems and processes. It aligns with many other internationally recognised management system standards, such as ISO 9001 (quality management) and ISO 14001 (environmental management). As such, it is designed to be integrated into an organisation’s existing management processes.
Risk Levels
Major corporations like Sony have been a high profile victim of cyber attacks when 77 million Playstation accounts were compromised downing the network for 23 days. All types of organisations remain vulnerable, however, with Hackney Council and the Castle School Education Trust victims of ransomware attacks for example.
Recently the EU announced a cyber rapid-response team (CRRT) was being deployed across Europe after a call for help from Ukraine. Hacker groups have also claimed responsibility for causing disruption to Russia’s digital infrastructure.
The Crisis Management Team
The decision makers in the organisation need to analyse all the key principles related to a crisis or emergency:
- Governance
- Strategy
- Risk
- Decision Making
- Communication
- Ethics
- Learning
The Crisis Management Team (CMT) will be the group of individuals functionally responsible for leading the organisations crisis management response. The leader of the CMT may or may not be the CEO. If not the role of the CEO and the level of authority of the leader of the CMT must be defined.
One common feature of any crisis is that they will occur and escalate quickly. Effective leadership in these situations requires a clear strategy and procedures that override confusion and emotion.
The Crisis Management Plan
The CMT will base decision making on the Crisis Management Plan (CMP). This detailed plan analyses the what, how, who, when, and why.
The next step in creating a CMP is to identify what types of crises the organisation could potentially face. A risk matrix can be used to assess the identified risks based on the likelihood of occurrence and impact to prioritise them for mitigation. A risk assessment matrix identifies things that can go wrong and weights the potential damage making it easier to prioritise problems. The consequences of risk can be ranked into categories of how severe the damage can be. Consequences can range from negligible to catastrophic. Risks may be forever evolving and the risk assessment matrix will need to be updated and maintained to take account of this.
Once the potential risks have been identified, a business impact analysis can analyse the potential impact a crisis may have on the operations of the organisation; disruption to production, block processes, cause financial losses, reputational damage, etc.. This business impact analysis then lays the foundation to create more systematic and logical response plans.
Activation protocols
Incorporating trigger points and thresholds helps define the circumstances that activate a particular crisis response. This will also allow for escalation of the response as the full extent of any crisis may not be apparent from the onset. Definition of reset levels allows for the de-escalation of a crisis to the previous level.
Chain of command
The structure of roles and responsibilities needs to be included in planning so that it is clear who has final authority and what the reporting channels are. This may include a HQ team and local teams in more complex organisations. Many organisations fail to consider how senior leaders outside of the crisis team, such as the chair of the Board and non-executive directors, will organise themselves. The chaotic nature of a crisis provides opportunities for leaders to hinder or contradict the responding teams. The location of the command centre should be specified whether virtual or in-person. A backup command centre should also be designated.
Response Action Plans
Having identified risks, detailed planning on responses to various scenarios can then be performed including responsibility for each task. These plans should cover all types of crisis rather than a specific crisis so that they are applicable to any crisis that unfolds.
Internal Communication plan
Ensure that there are pre-determined systems and backup measures for the CMT to communicate with each other. Notification methods can be pre-determined to ensure consistency and clarity. Internal communication with all employees will also need to be considered to determine how urgent information can be quickly and easily shared.
Recording actions in an incident log is good practice and aids the debrief process. Employers must keep a record of all injuries at work in an accident book. As well as keeping records in the accident book, the law specifies notifying specific injuries and deaths arising from accidents at work, under the Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 2013 (RIDDOR) to Health and Safety Executive (HSE).
External Communication plan
Emergencies can quickly evolve and new forms of media allow information to be quickly and easily disseminated in real time. It is critical that high quality and timely communication occurs during the crisis. Brand reputation is at stake during any crisis and an effective communication response is a key factor in protecting this.
The case of Boeing in the aftermath of the two 737 Max crashes is an oft-cited example of poor corporate communication that led to cancelled orders and a multi-billion dollar settlement.
Conversely when a Virgin Galactic test flight crashed in 2014 the company responded quickly and actively by communicating about the incident with a consistent message. By taking control of the message they were able to shape the narrative.
Resources
All resources likely to be required in a crisis should be considered in the CMP. This can range from contact lists to keys to hard hats. Backup options should be considered to deal with situations where the primary method is no longer viable due to the crisis. For example, if a cyber attack takes down an email server, consider how staff communication will then take place.
Exercising and testing
Effective crisis management requires relentless testing and exercising to ensure that the capability exists to adequately execute the CMP.
The classic method of testing is by running a tabletop exercise using a scenario-based simulation of a real incident. A properly planned exercise should aim to test all the key points of the CMP by creating the most realistic exercise as possible to focus on testing decision making rather than just simply following a liner set of instructions.
A real-life crisis or incident isn’t clearly set out in a Word document or slide presentation, but rather they unfold over time as the crisis team receives a series of information. This information must be assessed and courses of action then implemented. A well-planned exercise should occur in the same way with realistic injects being provided over time to provide an immersive experience that tests decision making.
A post-exercise evaluation to identify both deficiencies in the plan and any skills gap in the team is essential. Ongoing testing and exercising should be part of the annual crisis management policy.
Exercises (drills or simulations) are not only an important part in any organisations incident management activities to ensure arrangements are robust and fit for purpose they also provide a valuable and safe opportunity for staff to rehearse their incident role to reinforce training and build confidence.
Effective exercises do not not have to cost the earth or be complex – in fact simple exercises are as beneficial but it important to be clear on their purpose and ensure they are relevant to your organisation in order to engage participants and identify learning.
They are the best way to prepare an organisation, teams and individuals to respond.
– James Cook
Trust Emergency Preparedness, Resilience and Response Manager
King’s College Hospital NHS Trust