Crisis management: Prepare, don’t plan
James Thorpe
Share this content
The crux of crisis management is to be able to understand, locate, communicate and support your business in times of difficulty, writes Nigel Lea, CEO, Sicuro Group.
Understanding is not just about identifying crisis, it is about recognising the impact to your business.
Locating can be geographically relevant but it is also about knowing which parts of your business are in crisis and which other parts can assist or may in turn suffer during an event.
Communication is ensuring a capability as well as a structure to prevent confusion, aid simplicity and save time.
Support encompasses immediate actions as well as the next steps to recovery from a crisis and often lasts many multiples of the time that the crisis actually existed for.
The key takeaway from all of these is that too many enterprises focus on planning rather than preparation. Individuals, teams, departments and enterprises must be prepared for a crisis rather than only contingency planning specific scenarios.
In being prepared for a function of your business to be affected it enables effective planning and reaction to be achieved when a crisis occurs.
Article Chapters
ToggleUnderstand
Knowing an event that affects you is occurring is normally straight forward as its effects are felt quickly, in almost all cases immediately.
Some may question whether a cyber-attack, as an example, is always felt immediately and the answer is no.
However, if an attack is underway and it hasn’t been detected or had any effects than the crisis has not yet started.
Whatever the crisis, there is a need for members of a Crisis Management Team (CMT) to look at why it has occurred.
This will inform analysis of whether it is likely to spread to other parts of your organisation and, if so, then how quickly and how broadly.
Understanding the ‘why’ often allows the scale of the crisis to be understood and addressed. It is essential to understand who and which business functions are affected.
This involves not just listening to those already affected but seeking knowledge from other business functions to see whether effects have been felt there as well.
The follow on to understanding is analysing quickly what is expected to happen next.
Clear answers may not be apparent so use scenario based forecasting… if X happens then Y will be affected; if Z happens then A won’t be affected but B will be.
Case study: An enterprise discovered that emails from one of its companies, Company A, were not sending and its inbound traffic had stopped. The immediate questioning showed the enterprise that the email host for Company A was the one affected and that the email function for the enterprise’s other companies were not affected as they were hosted by a different vendor. This understanding enabled the enterprise to immediately create emails for Company A staff using the unaffected host and maintain business continuity while the ‘crisis’ in the affected company was explored and dealt with.
End state: The email host for Company A had suffered a ransomware attack and those emails were never brought back online. The enterprise’s resilience plan had identified the risk. The preparation had already been achieved by having separate email hosts for separate companies. So, when the crisis occurred, a plan was formed and implemented to provide the redundancy needed.
Locate
Crises are almost always located geographically. One person sat next to another saying, “that’s odd, X has just happened or isn’t functioning”.
Equally a part of a business may be affected by civil unrest, war or terrorism which is immediately and geographically apparent.
The ‘locate’ tenet of crisis management requires the CMT to ask and identify where the individuals are or business functions that are affected: Is it the physical location of those affected that marks the boundary of the crisis or is it the business function that is affected regardless of the geographic location?
There is overlap here with the understand tenet.
The two go hand in hand. From initial analysis it is then a short step to identify which other elements of your business will be affected or how can other elements of your business be used or not used to support this crisis.
Locating a crisis must look further back than the immediate and apparent symptoms of it in order to really understand where it is emanating from and what can be done about it.
Case study: Following on from the email denial explained above. The enterprise concerned initially located its issue as being functional i.e. the emails weren’t working. The discovery had also been geographical as it was found by two staff working across a desk from one another. The follow on, locate, was to check whether staff in different geographical offices were affected; they were. Further research by the CMT looked at wider IT functions and whether this was a cyber impact being suffered by the enterprise; this wasn’t the case and the crisis was quickly located as being with the email host company. Locating the staff affected and the function affected led to the location of the cause of the issue. Consequently, the crisis as a function was isolated and the contingency plan implemented.
Communicate
Having understood the crisis and located it, communicating that it is occurring, what is being done about it and what the recovery plan is, needs to be achieved swiftly.
An enterprise’s staff must be communicated with clearly, objectively and without the ‘noise’ of uncertainty and rumour.
Vendors, and especially clients, must be told how this affects them and you. Corporate communication in terms of press releases is not relevant to all enterprises and is not covered here.
Mass communication is done normally in business by email, conference calls and messaging apps but, because these means are designed for the ‘normal’, they are often less suited for a crisis.
They are also intrinsically part of the fabric of an enterprise and so can be quickly affected by a cyber-attack or attrition to local infrastructure such as reduction to data coverage for mobile phone networks.
Emergency Mass Notification System – these are available from third parties. They are independent of the enterprise’s IT systems and the key to selecting one is simplicity of use. An ideal mass communications system will allow the enterprise to communicate with its staff over multiple means: SMS removes the need for a data network; a messenger app like WhatsApp is already used by staff, therefore avoiding yet another app having to be downloaded; email.
It should allow for: The CMT to send a simple question; the receiver to give a single digit response using pre-defined answers; the responses to be received in real time, grouped and further mass communication to these groups conducted as effectively as the initial question; staff to volunteer to send their locations which can then be geofenced and used for grouping those affected as well as for additional duty of care compliance and response planning.
Support
Support must be broken down into that for individual staff, that for the business and that for clients. On occasion, some or all of these will overlap but they must be identified individually then aligned – or gaps will be created.
Support during a crisis should be further identified as that which can be provided internally (such as the re-prioritising of department or individual roles) and that which can or should be provided by third parties.
The time it will take to deliver the proposed support must be weighed against its effectiveness once it is delivered.
A less effective type of support delivered quickly will often be of greater value than fully comprehensive support delivered much later when the crisis may have passed/has entered a new and debilitating phase.
Case study: Using the email challenge above, the identification, contracting and onboarding of a separate email host vendor would not have been as effective in providing support as using the existing redundancy within the enterprise. The use of a separate vendor came in the recovery phase. Alternatively, in a physical crisis such as that faced recently by many organisations in Sudan, the end state of evacuation of staff was a longer term form of support which on its own would have been too late to be effective. Shorter term relocation and the provision of essential goods was an effective interim solution that provided immediate support while longer term help was coordinated.
Prepare
Preparation is knowing how to achieve something and having the confidence that the individual, team or enterprise can do it. Successful preparation for crisis management is achieved through:
- Engaging staff, not just managers and leaders, regularly with simple and short duration training to constantly increase familiarity with the unknown
- Use desk-top exercises focused on the removal of a business function (e.g. the denial of an office location, software, account managers, executive/leadership, communications, life support, secure environment, transportation, supply chain) rather than focusing on why the function has been removed
- Ensure the “desk-top dividend”; the continual building on confidence and capability from point two results in the creation of simple and effective plan – these plans are not for filing and “we’ll bring out plan number four if X happens”; every event will differ, the key is to be able to plan when what occurs is presented as an issue
- Rehearse how you understand, locate, communicate and support
- Use scenarios to add context where useful; don’t waste time and money on complex scenarios that ultimately tell a long story as to why a business function has been affected