Crisis Management Critical Success Factor:

Let's start this discussion by painting a crisis scenario. An event has occurred; your building is partially destroyed; there are several employees dead; many more seriously injured; countless unaccounted for and for those who escaped the carnage, they have scattered in a hundred different directions, getting as far away from the site as possible. The event itself is unimportant at this point in time; whether it be a terrorist attack, bombing by a disgruntled employee, an earthquake or a gas main explosion.

Unfortunately, this is also the moment in time when far too often organizations start on their road to Crisis Management ‘hell'. Let's first explore some real life experiences and some of the more common mistakes organizations make:

• Immediately a conference bridge is opened; 20, 30 and possibly 60 or more people are invited to join; and of course, several dozen more join-in uninvited. I don't think I have to explain the upheaval and confusion that will immediately follow; very little will be accomplished and most will wonder ‘why'.
• The person that runs the initial meeting or conference call is the most senior person present, whether it is the President, SVP or a Director. While well-intentioned, it is unlikely that he or she has any ‘current' expertise in Crisis Management; their title simply gives them the authority. This is not the time to teach or learn a new discipline.
• In conference calls or meetings inevitably, the people representing the ‘business' side of life will far outnumber everyone else; thereby influencing the discussion around the business and related business continuity issues; versus the Crisis Management priorities of life safety and protection of the Brand image. Your Risk Manager should be fuming!
• In the absence of coordination and anyone else making decisions, most well-intentioned executives will do so (even when they are not qualified). The real problem is that there will be multiple executives independently making decisions and public statements that will invariably be in conflict. Katrina ring a bell?
• Rumours and speculation are quickly established as ‘facts' in the minds of most and will inevitably result in panic, anxiety and stress; all of which will alter the organization's focus, as well as drive over-reaction and political interference; all based on the organization's internally perceived failures and problems.
• Negative public and media response to the perceived inaction or questionable actions on the part of the organization actually create a crisis within a crisis; one that could generate as much anxiety and stress as the event itself. Unfortunately, far too much focus will be applied to the ‘CYA' objective of some senior management; further complicating response and control of the crisis itself.

Clearly the things that could go wrong; including those listed above, can be avoided, but not through wishful thinking or a belief that your organization is unique. These pitfalls can only be avoided if your policies, standards and in-crisis processes prevent them from occurring.

Crisis Management is not terribly complex. Perhaps the events and threats you must deal with create complexity, but the Crisis Management Program itself is based on a foundation of knowledge, skills and experience that you probably already have. Its success is solely based on a clear delineation of roles and responsibilities, as well as the unwavering authority to do what is necessary to mitigate the impact of a crisis.

The Enterprise Structure

Before we get into the specifics of Crisis Management, I want to present an ‘enterprise' structure of what crisis preparedness could or should look like in the majority of organizations. I like to refer to this high-level structure as the ‘Crisis Preparedness Program' (CPP).

A CPP is comprised of four independent and when required, operationally integrated emergency response functions. Each has a mandate, a role to play, decisions to make and have specific operational owners. These are:

1. Incident Response - An Incident Response Plan represents the actions that will be taken in response to ‘specific' events (incidents) and are developed, maintained and executed by the operational (utility) group most qualified to do so. These would include plans for; violence-in-the-workplace - the responsibility of Human Resources; technology virus detection and eradication - the responsibility of Information Technologies; air / water contamination - the responsibility of Facilities Management; suspicious package - the responsibility of Corporate Security; bad press - the responsibility of Public Affairs and building evacuation - the responsibility of Safety. This list is actually quite extensive, with the number of plans easily reaching many dozen within a mid-size organization. An ‘incident' will not necessarily become a ‘crisis'; that decision is made by the Crisis Response Team and dependent on the impact of the event. As an example; receiving a bomb threat is an ‘incident' and only becomes a crisis if ignited.
2. Business Continuity Management - Business Continuity Management (BCM) is just what the name implies; plans developed to minimize operational disruption to the business (with a focus on critical business functions). Business Continuity Management is typically comprised of two response-oriented sets of plans: i) Contingency Plans which provide an alternate / temporary means of providing key aspects of the service until the full service can be restored and, ii) Recovery Plans, that provide the methods and processes to return to a full operational status once the business environment has been restored. Responsibility for Business Continuity Management must rest with those most qualified, Business Leadership and Business Continuity Planners.
3. Technology Continuity Management - Technology Continuity Management (TCM), often referred to (for some archaic reason) as Disaster Recovery, again is actually comprised of two response-oriented sets of plans: i) Contingency Plans which provide alternate technology and computing services and facilities and ii) Recovery Plans, representing the processes implemented to restore technology based services. Technology Continuity Management must always be in direct synchronization to Business Continuity Management to ensure the organization's business priorities are being satisfied. Responsibility for Technology Continuity Management in the organization is Information Technology and those assigned to the role of Technology Continuity Planners.
4. Crisis Management - Unlike the previous three Crisis Preparedness Program components, Crisis Management has multiple roles in situations that are classified as ‘crises' to an organization. The mandate of Crisis Management is primarily response and control of a situation that threatens life safety, brand image and other assets of the organization. This also represents the absolute priorities of Crisis Management and, by far, the number one priority is ‘life safety', followed by protection of the brand image. Simply put, Crisis Management must never, not even for a moment, consider an event's impact on the business until such time as the first two priorities are fully addressed. While general responsibility for direction and development of a Crisis Management Program most often resides with Corporate Security, the process of response and control is shared amongst the organization's utility groups.

This alignment of roles and responsibilities provides the framework for the most competent people in their respective area to do the job they are most qualified to do; to use the skills and expertise they possess to make decisions based on information they are provided. Put another way; would you want someone from Corporate Security deciding when Business Continuity Plans should be activated or someone from Human Resources interacting with the local police on what actions are required or someone from Health & Safety driving your technology recovery efforts; of course not, it is simply ensuring the right people are assigned the most appropriate roles.

Back to the topic at hand.....

Having provided a general framework for responding to any event or threat, let's now refocus on Crisis Management and specifically the Crisis Management Organization. I believe there are two separate teams within a Crisis Management Organization; each having a specific membership, mandate and in-crisis role. These are:

• A Crisis Management Team (CMT) should be comprised of the most senior executive and all and only his / her direct reports. The Crisis Management Team is the highest level in-crisis decision making authority; after-all making decisions are what they do best. Why should it change just because you are in a state of crisis? The only thing that is different is that, instead of their own direct reports collecting and assessing information and making recommendations for their approval, it will be a Crisis Response Team that will be collecting the facts, performing the assessment and making recommendations for their approval.
• A Crisis Response Team (CRT) should be comprised of a location's ‘utility' groups, with a single representative and at least one designated backup from the following; Corporate Security, Safety, Employee Relations / Human Resources, Corporate Affairs and Communications, Facilities Management / Real Estate, Medical Services, Information Technologies and Business Continuity Management. The Crisis Response Team is operationally responsible for all aspects of the organization's response to a crisis situation and management of that event throughout its duration.

Alignment of Role to Qualifications

Every action and every decision requires knowledge, experience, skill and a great deal of discipline. Having the wrong persons making life-safety decisions is risk mitigation in reverse! Are you willing to gamble the lives or safety of your employees for the sake of an outdated approach to in-crisis decision making.

Previously I stated that for most organization's the Crisis Response Team should be comprised of up to eight people representing key ‘utility' functions The reasons are very simple:

1. These functional groups collectively are responsible on a day-to-day basis for all emergencies, problems and crises across the organization - they possess the knowledge, skills and experience to manage a crisis - they already know what to do, when and how, should a crisis occur.
2. They represent every aspect of an organization's Crisis Preparedness Program. While it will be the Crisis Response Team that determines what in-crisis actions should be taken, it is their individual departments that have what it takes to follow through on those decisions.
3. Adopting this team structure and membership will ensure that absolutely every key internal and external stakeholder will be provided the in-crisis information they require in a consistent and timely manner.

The CRT is your SWAT Team; they are your first responders; they are the only ones that can do what needs to be done. If they need advice or additional help, let it be the CRT who determines who and when. At some point in a crisis, there may be business, financial or legal issues, but wait until there are before engaging those groups. Do not have anyone on your CRT that is not currently engaged in some aspect of your organization's Crisis Preparedness Program.

For clarity, I am not saying an organization that is in a state of crisis should ignore the ‘business'; it is most definitely critical, just not a priority of Crisis Management. It is and should be a priority of Business Leadership and the Business Continuity / Technology Continuity Management teams. Your Crisis Response Team, by way of the BCM and TCM members, will ensure Business and Technology Leadership are kept current with the status and actions being taken by the organization.

When we talk about in-crisis decision making, it is equally important to discuss in-crisis roles and responsibilities; decision making and role are often entwined.

Crisis Management Team - In-crisis Responsibilities

• highest level decision making authority for recommendations and / or alternatives provided by the CRT,
• support the mandate, role and responsibilities of the CRT across the enterprise,
• news media spokesperson / media relations,
• represent organization to families of dead or injured,
• moral support and inspiration for employees,
• deflecting well intentioned political interference away from the CRT,
• interface to Board of Directors and Shareholders,
• interface to Collective Bargaining Units,
• interface to regulatory bodies and agencies,
• address all legal and financial issues and requirements,
• address any liability issues that may arise from an event,
• interface with ‘key' customers in terms of status and actions being taken.

Crisis Response Team - In-crisis Responsibilities

• take necessary actions at the onset of a crisis,
• collect facts while dispelling rumours and speculation,
• determine if it is an ‘incident' to be responded to or a ‘crisis' to be managed, 
• continuous situational assessment as the crisis unfolds,
• determine a course of action for all response functions and groups,
• Interface to all external authorities,
• coordination of all response actions and plans,
• disseminate accurate and consistent status information,
• only provider of status information to all key stakeholders,
• enterprise-wide response and control of the threat or event,
• communicate, communicate, communicate!

Managing a crisis in some respects is similar to managing any aspect of your business. An organization goes to great extents to ensure it is organized to deliver on its corporate mandate or purpose for being. You put experience, skills and knowledge together to ensure success. In a crisis, it is no different; you must put the right experience, skills and knowledge together in order to make the best in-crisis decision you can.

Your organization has the knowledge, skills and experience necessary to manage a crisis. Make certain that those individuals make-up your Crisis Response Team and they are given the authority, responsibility and tools necessary to ensure Crisis Management will succeed.

Let them do their job - you will be amazed!

Stay tuned: Part E of the ‘In-crisis Decision Making' Series, entitled ‘Can The Majority Be Wrong?' establishes the rationale behind one of the most important in-crisis operating standards - majority rules decision making!

Dennis C. Hamilton, FBCI Hon, is the President of Crisis Response Planning Corporation (http://www.crpccrisismanagement.com/), an internationally recognized emergency management consulting services company. For over 20 years Dennis has been dedicated to the discipline of Crisis Management, earning the recognition and reputation as one of North America's foremost practitioners and advisors to businesses in all primary industries. Dennis can be reached at 416-500-5517 or dennis.hamilton@crpccrisismanagement.com This e-mail address is being protected from spam bots, you need JavaScript enabled to view it .

Crisis Management Critical Success Factor:

A Crisis Response Team (characterized in Part A), adopting a structured in-crisis process, can make effective decisions, however; if it cannot communicate those decisions and resulting actions to those who need to know, it will have the same impact as not making a decision to begin with.  Whether providing information or instructions to employees, countering rumours or issuing proactive communications to external stakeholders (i.e. customers, the media, critical service providers) the need to issue time-sensitive communications at the outset, during and after a crisis situation is the operational foundation of Crisis Management.  Every decision has a consequence and will always result in a response on the part of others.  In the absence of vital information, internal and external stakeholders will apply their own assumptions and readily make decisions; usually with an unfavourable outcome.

In-crisis Communications can be defined as: ‘The dissemination of information or instructions to internal and external stakeholders whose actions or inaction will have a measurable impact on the organization's ability to effectively manage a crisis situation.'

Role of In-crisis Communications

• Provide executive and line management with information necessary to make strategic and tactical operational decisions.
• Provide threat and event status information relevant to internal and external stakeholders.
• Manage rumours, speculation, perception and the application of assumptions as facts.
• Mitigate real-time operational risks.
• Demonstrate that proactive corporate due-diligence was applied at the onset of and during a life threatening situation.
• Provide action or no-action instructions to targeted stakeholders.
• Provide time-sensitive information to ensure the safety and well-being of employees.
• Satisfy regulatory or mandated reporting requirements.
• Keep the organization's first responders and various emergency response teams, business continuity and recovery teams focused on their response roles by sharing information and assistance to balance their commitments to the organization and obligations to their families.

The Requirement

Communication requirements in a crisis can be summed up very simply:

• Communicate to possibly thousands or even tens of thousands of stakeholders,
• Utilize multiple communication channels (telephone, email, cell phone, PDA, text messaging, fax) to ensure contact will be made,
• Reach stakeholders within minutes or very few hours.

Technological advancements in mass communications has created wide-spread and permanent expectations on the part of employees and other stakeholders; expectations that are founded on the belief that the organization possesses the capability to provide timely and vital information.

A fully automated communications / notification capability is no longer an operational nicety; the era of manual call-trees is over.  A previous CRPC article entitled ‘Call Trees - A Solution or Wishful Thinking' is probably a good read if you still rely on manual call-trees as a component of your communications strategy.

This capability can be effectively satisfied through an internally provided communications facility or through a commercially provided service.  In most cases, organizations have determined that the lower cost and well-maintained capabilities of commercially provided services far outweigh any advantages of an internally developed and maintained solution.  For organizations in search of a commercially provided solution, there may be value in reviewing the CRPC white-paper entitled ‘Emergency Notification - Service Selection Guide'.

A word of advice - don't justify the use of an automated solution solely based on your in-crisis requirements; there are countless non-emergency uses lying in wait for a solution.  Organize and facilitate a planning workshop with business leaders throughout the organization to identify uses of a communications tool; the number of justifying applications will astound you!

Consequence of Failed Communications

Executive management, Board of Directors and regulatory agencies have or will have in a crisis, expectations that your organization possesses a communications capability and that you can effectively and in a timely manner provide required information and instructions to all stakeholders in a crisis situation.

If you cannot meet these expectations, ensure the most senior executive of your organization has categorically stated and documented the decision that the organization will assume all risks and consequences of failed communications.  Those risks include;

• Loss of life or serious injuries due to the slow provision of critical life-safety information and instructions,
• Liability of executive management, Board of Directors and senior management due to failure in the provision of adequate protection and care of employees,
• Negative media reactions based on rumours, innuendo and the absence of fact-based information,
• Loss of employee trust in management that the organization will in fact provide adequate care and protection to employees while at work,
• Unfavourable market reaction by Customers and Shareholders,
• Random and conflicting decision-making by various managers having misguided, but good intent,
• Failure to satisfy regulatory requirements,
• Costly delays in response by the organizations first responders and business leaders,
• Failure to meet the legal and operational requirements of corporate due diligence,
• A permanent change in the organization's highly valued culture; which in turn affects productivity, loyalty, work ethic and long terms success or failure of the organization.

Of course if you have already implemented an automated communications solution, that is a great start.  Ensure it is designed to support what could be complex in-crisis requirements and processes of Crisis Management and all other emergency response practices of your Crisis Preparedness Program.

Stay tuned:     Part D of the ‘In-crisis Decision Making' Series, entitled ‘Let Them Do Their Job` will clearly demonstrate that you already have the knowledge and skills required to effectively manage a crisis; you simply may not be using them!

Dennis C. Hamilton, FBCI Hon, is the President of Crisis Response Planning Corporation (http://www.crpccrisismanagement.com/), an internationally recognized emergency management consulting services company.  For over 20 years Dennis has been dedicated to the discipline of Crisis Management, earning the recognition and reputation as one of North America's foremost practitioners and advisors to businesses in all primary industries.  Dennis can be reached at 416-500-5517 or dennis.hamilton@crpccrisismanagement.com