For smaller organizations, Call Trees, sometimes called Phone Trees, can work.  We're talking small organizations of say 100 or 200 people with 20 to 40 people to be contacted immediately for a role to play in an emergency, with the remaining staff to be contacted up to a few hours later.

But for larger organizations, or situations where you want to contact over a 100 people immediately, it's important to set expectations with senior management around Call Trees.  I was talking to a Business Continuity Manager in a mid-sized company and we were discussing the use of their Call Tree.  I asked the question, "What if it doesn't work well, what if there is a break in the tree?"  I wanted to see if he was prepared for problems and what he had told senior management regarding Call Tree performance.

Murphy's Law

 He hesitated, and then said it worked OK in the last test.  When I pointed out that in a real emergency, key managers in an organization, are usually the ones at the front end of the Call Tree, and they're the ones moving around the office floor to talk to other managers in adjacent offices, they're not at their desks, and probably on their cell phones fielding the first calls coming in prior to the initiation of the Call Tree.  So if they don't receive the phone call to execute their branch of the Call Tree because they are busy, or they become distracted, or have other immediate priorities -- then the entire Call Tree process gets delayed.

So I asked if the manager had set expectations with executive management that Call Tree performance in an Emergency will probably be significantly less than in a test.  The answer was no -- so he's in a situation where executive management may be in for a surprise during a real emergency.

 In the short term, he had no choice but to continue to use a Call Tree so I offered a checklist he could use to help mitigate the problems associated with Call Trees.  The checklist provides a list of problem areas, and what the Call Tree initator should look for.

 But in an emergency, what can go wrong might go wrong, so it's important to set realistic expectations on what a Call Tree process will and won't do.  You really don't want company executives expecting you to execute robust, predictable Call Tree process they can depend upon in an emergency.  There are just too many people factors involved in the chain, sometimes including executives.

Derek Hemington

ERMS

ERMS is a Emergency Notification provider specializing in helping organizations manage vital emergency processes -- enabling effective communications and response to crisis situations and incidents.  ERMS goes beyond notification, addressing risk mitigation, preparedness, in-crisis response and recovery.

For information about ERMS, check out www.ermscorp.com

Crisis Management Critical Success Factor:

Let's start this discussion by painting a crisis scenario. An event has occurred; your building is partially destroyed; there are several employees dead; many more seriously injured; countless unaccounted for and for those who escaped the carnage, they have scattered in a hundred different directions, getting as far away from the site as possible. The event itself is unimportant at this point in time; whether it be a terrorist attack, bombing by a disgruntled employee, an earthquake or a gas main explosion.

Unfortunately, this is also the moment in time when far too often organizations start on their road to Crisis Management ‘hell'. Let's first explore some real life experiences and some of the more common mistakes organizations make:

• Immediately a conference bridge is opened; 20, 30 and possibly 60 or more people are invited to join; and of course, several dozen more join-in uninvited. I don't think I have to explain the upheaval and confusion that will immediately follow; very little will be accomplished and most will wonder ‘why'.
• The person that runs the initial meeting or conference call is the most senior person present, whether it is the President, SVP or a Director. While well-intentioned, it is unlikely that he or she has any ‘current' expertise in Crisis Management; their title simply gives them the authority. This is not the time to teach or learn a new discipline.
• In conference calls or meetings inevitably, the people representing the ‘business' side of life will far outnumber everyone else; thereby influencing the discussion around the business and related business continuity issues; versus the Crisis Management priorities of life safety and protection of the Brand image. Your Risk Manager should be fuming!
• In the absence of coordination and anyone else making decisions, most well-intentioned executives will do so (even when they are not qualified). The real problem is that there will be multiple executives independently making decisions and public statements that will invariably be in conflict. Katrina ring a bell?
• Rumours and speculation are quickly established as ‘facts' in the minds of most and will inevitably result in panic, anxiety and stress; all of which will alter the organization's focus, as well as drive over-reaction and political interference; all based on the organization's internally perceived failures and problems.
• Negative public and media response to the perceived inaction or questionable actions on the part of the organization actually create a crisis within a crisis; one that could generate as much anxiety and stress as the event itself. Unfortunately, far too much focus will be applied to the ‘CYA' objective of some senior management; further complicating response and control of the crisis itself.

Clearly the things that could go wrong; including those listed above, can be avoided, but not through wishful thinking or a belief that your organization is unique. These pitfalls can only be avoided if your policies, standards and in-crisis processes prevent them from occurring.

Crisis Management is not terribly complex. Perhaps the events and threats you must deal with create complexity, but the Crisis Management Program itself is based on a foundation of knowledge, skills and experience that you probably already have. Its success is solely based on a clear delineation of roles and responsibilities, as well as the unwavering authority to do what is necessary to mitigate the impact of a crisis.

The Enterprise Structure

Before we get into the specifics of Crisis Management, I want to present an ‘enterprise' structure of what crisis preparedness could or should look like in the majority of organizations. I like to refer to this high-level structure as the ‘Crisis Preparedness Program' (CPP).

A CPP is comprised of four independent and when required, operationally integrated emergency response functions. Each has a mandate, a role to play, decisions to make and have specific operational owners. These are:

1. Incident Response - An Incident Response Plan represents the actions that will be taken in response to ‘specific' events (incidents) and are developed, maintained and executed by the operational (utility) group most qualified to do so. These would include plans for; violence-in-the-workplace - the responsibility of Human Resources; technology virus detection and eradication - the responsibility of Information Technologies; air / water contamination - the responsibility of Facilities Management; suspicious package - the responsibility of Corporate Security; bad press - the responsibility of Public Affairs and building evacuation - the responsibility of Safety. This list is actually quite extensive, with the number of plans easily reaching many dozen within a mid-size organization. An ‘incident' will not necessarily become a ‘crisis'; that decision is made by the Crisis Response Team and dependent on the impact of the event. As an example; receiving a bomb threat is an ‘incident' and only becomes a crisis if ignited.
2. Business Continuity Management - Business Continuity Management (BCM) is just what the name implies; plans developed to minimize operational disruption to the business (with a focus on critical business functions). Business Continuity Management is typically comprised of two response-oriented sets of plans: i) Contingency Plans which provide an alternate / temporary means of providing key aspects of the service until the full service can be restored and, ii) Recovery Plans, that provide the methods and processes to return to a full operational status once the business environment has been restored. Responsibility for Business Continuity Management must rest with those most qualified, Business Leadership and Business Continuity Planners.
3. Technology Continuity Management - Technology Continuity Management (TCM), often referred to (for some archaic reason) as Disaster Recovery, again is actually comprised of two response-oriented sets of plans: i) Contingency Plans which provide alternate technology and computing services and facilities and ii) Recovery Plans, representing the processes implemented to restore technology based services. Technology Continuity Management must always be in direct synchronization to Business Continuity Management to ensure the organization's business priorities are being satisfied. Responsibility for Technology Continuity Management in the organization is Information Technology and those assigned to the role of Technology Continuity Planners.
4. Crisis Management - Unlike the previous three Crisis Preparedness Program components, Crisis Management has multiple roles in situations that are classified as ‘crises' to an organization. The mandate of Crisis Management is primarily response and control of a situation that threatens life safety, brand image and other assets of the organization. This also represents the absolute priorities of Crisis Management and, by far, the number one priority is ‘life safety', followed by protection of the brand image. Simply put, Crisis Management must never, not even for a moment, consider an event's impact on the business until such time as the first two priorities are fully addressed. While general responsibility for direction and development of a Crisis Management Program most often resides with Corporate Security, the process of response and control is shared amongst the organization's utility groups.

This alignment of roles and responsibilities provides the framework for the most competent people in their respective area to do the job they are most qualified to do; to use the skills and expertise they possess to make decisions based on information they are provided. Put another way; would you want someone from Corporate Security deciding when Business Continuity Plans should be activated or someone from Human Resources interacting with the local police on what actions are required or someone from Health & Safety driving your technology recovery efforts; of course not, it is simply ensuring the right people are assigned the most appropriate roles.

Back to the topic at hand.....

Having provided a general framework for responding to any event or threat, let's now refocus on Crisis Management and specifically the Crisis Management Organization. I believe there are two separate teams within a Crisis Management Organization; each having a specific membership, mandate and in-crisis role. These are:

• A Crisis Management Team (CMT) should be comprised of the most senior executive and all and only his / her direct reports. The Crisis Management Team is the highest level in-crisis decision making authority; after-all making decisions are what they do best. Why should it change just because you are in a state of crisis? The only thing that is different is that, instead of their own direct reports collecting and assessing information and making recommendations for their approval, it will be a Crisis Response Team that will be collecting the facts, performing the assessment and making recommendations for their approval.
• A Crisis Response Team (CRT) should be comprised of a location's ‘utility' groups, with a single representative and at least one designated backup from the following; Corporate Security, Safety, Employee Relations / Human Resources, Corporate Affairs and Communications, Facilities Management / Real Estate, Medical Services, Information Technologies and Business Continuity Management. The Crisis Response Team is operationally responsible for all aspects of the organization's response to a crisis situation and management of that event throughout its duration.

Alignment of Role to Qualifications

Every action and every decision requires knowledge, experience, skill and a great deal of discipline. Having the wrong persons making life-safety decisions is risk mitigation in reverse! Are you willing to gamble the lives or safety of your employees for the sake of an outdated approach to in-crisis decision making.

Previously I stated that for most organization's the Crisis Response Team should be comprised of up to eight people representing key ‘utility' functions The reasons are very simple:

1. These functional groups collectively are responsible on a day-to-day basis for all emergencies, problems and crises across the organization - they possess the knowledge, skills and experience to manage a crisis - they already know what to do, when and how, should a crisis occur.
2. They represent every aspect of an organization's Crisis Preparedness Program. While it will be the Crisis Response Team that determines what in-crisis actions should be taken, it is their individual departments that have what it takes to follow through on those decisions.
3. Adopting this team structure and membership will ensure that absolutely every key internal and external stakeholder will be provided the in-crisis information they require in a consistent and timely manner.

The CRT is your SWAT Team; they are your first responders; they are the only ones that can do what needs to be done. If they need advice or additional help, let it be the CRT who determines who and when. At some point in a crisis, there may be business, financial or legal issues, but wait until there are before engaging those groups. Do not have anyone on your CRT that is not currently engaged in some aspect of your organization's Crisis Preparedness Program.

For clarity, I am not saying an organization that is in a state of crisis should ignore the ‘business'; it is most definitely critical, just not a priority of Crisis Management. It is and should be a priority of Business Leadership and the Business Continuity / Technology Continuity Management teams. Your Crisis Response Team, by way of the BCM and TCM members, will ensure Business and Technology Leadership are kept current with the status and actions being taken by the organization.

When we talk about in-crisis decision making, it is equally important to discuss in-crisis roles and responsibilities; decision making and role are often entwined.

Crisis Management Team - In-crisis Responsibilities

• highest level decision making authority for recommendations and / or alternatives provided by the CRT,
• support the mandate, role and responsibilities of the CRT across the enterprise,
• news media spokesperson / media relations,
• represent organization to families of dead or injured,
• moral support and inspiration for employees,
• deflecting well intentioned political interference away from the CRT,
• interface to Board of Directors and Shareholders,
• interface to Collective Bargaining Units,
• interface to regulatory bodies and agencies,
• address all legal and financial issues and requirements,
• address any liability issues that may arise from an event,
• interface with ‘key' customers in terms of status and actions being taken.

Crisis Response Team - In-crisis Responsibilities

• take necessary actions at the onset of a crisis,
• collect facts while dispelling rumours and speculation,
• determine if it is an ‘incident' to be responded to or a ‘crisis' to be managed, 
• continuous situational assessment as the crisis unfolds,
• determine a course of action for all response functions and groups,
• Interface to all external authorities,
• coordination of all response actions and plans,
• disseminate accurate and consistent status information,
• only provider of status information to all key stakeholders,
• enterprise-wide response and control of the threat or event,
• communicate, communicate, communicate!

Managing a crisis in some respects is similar to managing any aspect of your business. An organization goes to great extents to ensure it is organized to deliver on its corporate mandate or purpose for being. You put experience, skills and knowledge together to ensure success. In a crisis, it is no different; you must put the right experience, skills and knowledge together in order to make the best in-crisis decision you can.

Your organization has the knowledge, skills and experience necessary to manage a crisis. Make certain that those individuals make-up your Crisis Response Team and they are given the authority, responsibility and tools necessary to ensure Crisis Management will succeed.

Let them do their job - you will be amazed!

Stay tuned: Part E of the ‘In-crisis Decision Making' Series, entitled ‘Can The Majority Be Wrong?' establishes the rationale behind one of the most important in-crisis operating standards - majority rules decision making!

Dennis C. Hamilton, FBCI Hon, is the President of Crisis Response Planning Corporation (http://www.crpccrisismanagement.com/), an internationally recognized emergency management consulting services company. For over 20 years Dennis has been dedicated to the discipline of Crisis Management, earning the recognition and reputation as one of North America's foremost practitioners and advisors to businesses in all primary industries. Dennis can be reached at 416-500-5517 or dennis.hamilton@crpccrisismanagement.com This e-mail address is being protected from spam bots, you need JavaScript enabled to view it .

Crisis Management Critical Success Factor:

A Crisis Response Team (characterized in Part A), adopting a structured in-crisis process, can make effective decisions, however; if it cannot communicate those decisions and resulting actions to those who need to know, it will have the same impact as not making a decision to begin with.  Whether providing information or instructions to employees, countering rumours or issuing proactive communications to external stakeholders (i.e. customers, the media, critical service providers) the need to issue time-sensitive communications at the outset, during and after a crisis situation is the operational foundation of Crisis Management.  Every decision has a consequence and will always result in a response on the part of others.  In the absence of vital information, internal and external stakeholders will apply their own assumptions and readily make decisions; usually with an unfavourable outcome.

In-crisis Communications can be defined as: ‘The dissemination of information or instructions to internal and external stakeholders whose actions or inaction will have a measurable impact on the organization's ability to effectively manage a crisis situation.'

Role of In-crisis Communications

• Provide executive and line management with information necessary to make strategic and tactical operational decisions.
• Provide threat and event status information relevant to internal and external stakeholders.
• Manage rumours, speculation, perception and the application of assumptions as facts.
• Mitigate real-time operational risks.
• Demonstrate that proactive corporate due-diligence was applied at the onset of and during a life threatening situation.
• Provide action or no-action instructions to targeted stakeholders.
• Provide time-sensitive information to ensure the safety and well-being of employees.
• Satisfy regulatory or mandated reporting requirements.
• Keep the organization's first responders and various emergency response teams, business continuity and recovery teams focused on their response roles by sharing information and assistance to balance their commitments to the organization and obligations to their families.

The Requirement

Communication requirements in a crisis can be summed up very simply:

• Communicate to possibly thousands or even tens of thousands of stakeholders,
• Utilize multiple communication channels (telephone, email, cell phone, PDA, text messaging, fax) to ensure contact will be made,
• Reach stakeholders within minutes or very few hours.

Technological advancements in mass communications has created wide-spread and permanent expectations on the part of employees and other stakeholders; expectations that are founded on the belief that the organization possesses the capability to provide timely and vital information.

A fully automated communications / notification capability is no longer an operational nicety; the era of manual call-trees is over.  A previous CRPC article entitled ‘Call Trees - A Solution or Wishful Thinking' is probably a good read if you still rely on manual call-trees as a component of your communications strategy.

This capability can be effectively satisfied through an internally provided communications facility or through a commercially provided service.  In most cases, organizations have determined that the lower cost and well-maintained capabilities of commercially provided services far outweigh any advantages of an internally developed and maintained solution.  For organizations in search of a commercially provided solution, there may be value in reviewing the CRPC white-paper entitled ‘Emergency Notification - Service Selection Guide'.

A word of advice - don't justify the use of an automated solution solely based on your in-crisis requirements; there are countless non-emergency uses lying in wait for a solution.  Organize and facilitate a planning workshop with business leaders throughout the organization to identify uses of a communications tool; the number of justifying applications will astound you!

Consequence of Failed Communications

Executive management, Board of Directors and regulatory agencies have or will have in a crisis, expectations that your organization possesses a communications capability and that you can effectively and in a timely manner provide required information and instructions to all stakeholders in a crisis situation.

If you cannot meet these expectations, ensure the most senior executive of your organization has categorically stated and documented the decision that the organization will assume all risks and consequences of failed communications.  Those risks include;

• Loss of life or serious injuries due to the slow provision of critical life-safety information and instructions,
• Liability of executive management, Board of Directors and senior management due to failure in the provision of adequate protection and care of employees,
• Negative media reactions based on rumours, innuendo and the absence of fact-based information,
• Loss of employee trust in management that the organization will in fact provide adequate care and protection to employees while at work,
• Unfavourable market reaction by Customers and Shareholders,
• Random and conflicting decision-making by various managers having misguided, but good intent,
• Failure to satisfy regulatory requirements,
• Costly delays in response by the organizations first responders and business leaders,
• Failure to meet the legal and operational requirements of corporate due diligence,
• A permanent change in the organization's highly valued culture; which in turn affects productivity, loyalty, work ethic and long terms success or failure of the organization.

Of course if you have already implemented an automated communications solution, that is a great start.  Ensure it is designed to support what could be complex in-crisis requirements and processes of Crisis Management and all other emergency response practices of your Crisis Preparedness Program.

Stay tuned:     Part D of the ‘In-crisis Decision Making' Series, entitled ‘Let Them Do Their Job` will clearly demonstrate that you already have the knowledge and skills required to effectively manage a crisis; you simply may not be using them!

Written by Ray Ganong, guest blogger

When you're considering a solution to address notification requirements, consider the advantages of a hosted solution provider.  Notification service providers can solve a variety of business problems, some with a clear ROI.  ROI examples include proactive operational communications such as notifying delinquent credit account holders of their outstanding balances.

Other problems solved by notification services are a best practice approach to cost avoidance through the use of notification as insurance.  Examples include notification of stakeholders (including staff) about building closures. Those closures could be the result of man-made or natural events and the notification messages would direct employees to alternate work locations, or to stay at home until further notice.

If you have a need to send voice messages to a large audience consisting of thousands or even tens of thousands of recipients then the capacity of your voice network is a limiting factor.  Dedicated notification providers have purpose-built networks to accommodate the necessary traffic load, which is particularly important in crisis situations. 

Your in-house capacity for message delivery would be severely impacted by a crisis messaging solution that relied on your internal network. Your normal business operations would be degraded, and you still may not have the capacity to meet your crisis messaging requirements.

Also, having a provider that has operations that are geographically remote from your operations delivers a big advantage. You never know what network is going to be out of commission or severely degraded during a crisis. An example of this is the 2003 blackout in the north-east. Having a third-party hosted solution provider allows you to deliver critical messages to all stakeholders even if your organizations network is unavailable or constrained. By trying to send messages via multiple networks and devices, a hosted solution provider increases the probability of delivering messages to recipients.

And, don't underestimate the requirement for handling personal calls during a crisis. You have employees making outbound calls to loved ones, and you have friends and family members making inbound calls to get status updates. These calls consume valuable operational resources that degrade an organizations ability to meet normal obligations. A crisis notification solution that is hosted outside your network, and that handles these personal calls, totally offloads this type of communication from your network.

Call Trees - an interesting idea...one that's been used in various forms and fashions for years.  Under the right circumstances it may even work (in small organizations that is).  More often than not, expectations far outweigh the actual probability of success.  In fact, in my 25 + years of Crisis Management experience I have never seen a manual ‘call tree' even come close to being effective in a real crisis situation.

Call trees arose from the need to communicate information or instructions to relatively large numbers of people as quickly as possible, typically in an emergency or crisis situation.  The premise is that emergency has prevented access to your facility or happens to occur when your employees are not at work.

Let's assume you must reach 2,000 employees with a single SHORT message.  Now, to start the ball rolling, you simply ask one person to call two more people and deliver the message.  Those two people would call two more people; those four people would then call eight people and so on, until you've reached all 2,000 people that must receive the message.  Simple and effective - as long as the planets are aligned, you're unbelievably lucky and every one of your employees is at home waiting for a call they are not expecting!  Bottom-line, the process simply will not work - ever, but it sure looks good on a diagram!

The number one reason for failure is the 100% probability that the call-links will be broken and that all corresponding call-chains will come to a grinding halt.  Not reaching one person could end your ability to reach 50% of your people.  Now think about reaching 2,000 people on a beautiful Saturday afternoon on a long weekend; your probability of success is zero.  It can literally take days to successfully reach everyone on the list.  This coupled with the headaches associated with maintaining accurate contact information make call trees a very ineffective tool for emergency notification.

Most call trees have people's home phone number, with the assumption they're always reachable.  Some add a cell phone, but rarely do they go past two devices.  Other than members of your Crisis and Emergency Management Teams, employees are not waiting around to receive company calls on a weekend.

Experience has shown that when you are conducting unscheduled calls, it will average at least 3 attempts per person to make contact and it could be 6.  Lots of questions come to mind, such as: how long do you wait between calls, do you attempt to find others to make additional calls; do you leave a message and assume that person will eventually make his or her calls, how do you verify that they did, do you have people call you back?  There is a consequence to every one of these questions; the answers to which will always lower the probability of success.

When you are physically calling someone to provide information and instructions, you will always exceed the projected time it takes to complete the call.  People will have questions and interestingly enough, the more senior the person you're calling, the longer the call will take.

Experience has shown that when a message is verbally passed on from person to person, the message itself begins to change on the third repeat and by the sixth repeat; the message may not even resemble the original.  In reaching 2,000 people in our scenario, the message would need to be repeated perfectly 2000 times by 1,022 people calling out.

I don't know about you, but I sure wouldn't want to bet my company's survival on 1,022 people accurately relaying a message in a short time frame.  In fact, the use of manual call trees (versus the use of automated tools such as ERMS Messenger) would never pass as an effective means to mitigate the intended risk.

For the record, to reach 2,000 employees using a manual call tree there will be 11 call levels, 1,022 people repeating the message -- it will require roughly between 6,000 and 12,000 actual calls and take anywhere from 10,000 to 34,000 minutes based on call lengths of 3 to 12 minutes and call attempts of 1 minute.  That's 167 to 567 hours of effort to complete and the time spent by the people receiving the message isn't even included in these numbers.  And it can get much worse.

By comparison, ERMS Advantage Services requires no manual effort and can make 2,000 calls in just an hour or two including time between re-dials.  It's worth a look!