Crisis Management Principles of Operation

A Crisis Management Program is based on ‘principles’ and when they’re used collectively they ensure a consistent use of process across the organization. These ‘principles’ include:

• Crisis Management primarily exists to protect and support employees and visitors directly or indirectly impacted by a ‘threat’ or ‘event’ that causes or threatens to cause physical injury, loss of life or trauma resulting from the event or consequential impact as a result of the event.

• Members of the Crisis Response Team (CRT) must be recruited on a voluntary basis, recognized for their contribution and be capable of operating effectively under extreme circumstances and stress.

• The Crisis Management Organization (CMO) must be positioned to ‘act/make decisions’ without organizational or political interference while the organization is in a state of crisis. The CMO must have unrestricted authority to respond in the best interests of all stakeholders.

• The Crisis Management Team (highest level decision-making authority) and the Crisis Response Team will always respond as coordinated bodies, demonstrating consensus on all decisions made while each member has an equal voice and vote on matters requiring a majority affirmation.

• The existence, structure, membership and role of the CMO should be public information and promoted within the organization as a necessary and vital process, and lastly, reinforced on a consistent and regular basis.

• Crisis response decisions will be made in the best interests of the organization and all stakeholders and will supersede the existence or normal interpretation of all or any policy or standard operating procedure.

• Members of the Crisis Response Team(s) and their management must recognize that in a state of crisis, participation on the Crisis Response Team is their only priority.

• In the state of crisis, the CMO will be the only organization representative to all internal organizational units and external organizations participating or impacted by the event.

• The CMO must possess the capability and capacity to communicate within the CMO, and to all external stakeholders requiring instruction or information.

• It’s only the Crisis Response Team that can decide whether or not the organization is actually in a state of crisis. That decision is based entirely on their knowledge, expertise, training and the actual or probable impact of an event or threat. A yes decision triggers formal activation of the Crisis Management Program.

• The CMO must possess (or have immediate access to) the knowledge and capability to make critical time-sensitive decisions related to any issue that may surface from any event. These include: the capacity to evaluate threats, risk and probabilities of the impact of an event, and any consequential impact from an event.

• Crisis Management does not replace or alter the mandate or role of participating organizational utility groups; nor any existing standard emergency response processes or plans implemented in support of the stated mandate and role of those utility groups (e.g. evacuation plans, business continuity plans).

• Crisis Management policies, rules, guidelines and principles must not be open to interpretation, but should remain flexible to changing organizational needs and events as they unfold in a crisis.

• Crisis Management must be viewed as a standard process of due diligence; understood, supported and endorsed by Executive Management and the Company’s Board of Directors.

The use of these principles will direct the mandate and role of a Crisis Management Organization, and determine the probability of a successful response to a threat or event.

I believe the industry needs a standard list of crisis principles. I'd like to hear from you on what you or your organization would like to see as standard crisis principles.

"By failing to prepare you are preparing to fail." -- Ben Franklin

It's been said that the only thing that can surpass the number of opinions on emergency management is the terminology used to describe it.  While this is probably true, the bigger reason for most confusion is the differing opinions regarding which functional team is leading the charge.

Of course, views on emergency management differ depending on who you're talking to.  Corporate Security would say that it's Crisis Management that drives all other emergency processes, while business leadership may see Business Continuity steering the ship, and of course Information Technology believes the world revolves around technology, including; emergency management.  Well the way I see it they‘re both right and both wrong.  A contradiction for sure, so let me explain.

But before I wade into the debate over emergency management umbrella program naming conventions, let's first look at what could happen in a crisis and therefore who is most likely to be involved and in what capacity.

If an organization receives a bomb threat, Corporate Security will undoubtedly be the first and normally the only responder.  Now, if the bomb goes-off; Corporate Security will of course take action and provide a key leadership role, but those directly involved increases substantially, including;

• Corporate Security - secure facilities, coordinate authorities, get employees to safety,
• Human Resources - accounting for employees and organizing counselling services,
• Facilities Management - determine impact and safety / usability of facility,
• Public Affairs - internal and external communications / media management,
• Safety - ensuring the safety of employees and visitors not impacted by the event,
• BCP - activate and manage Business Continuity Plans
• Information Technologies - activate and manage Technology Recovery Plans.

Each of the ‘utility' groups listed above has or should have plans for these types of events (hopefully based on the impact of the event).  In analyzing these plans, they actually fall quite nicely into four categories:

• Emergency Response,
• Business Continuity,
• Technology (Disaster) Recovery and
• Crisis Management.

Collectively I like to refer to these as an organization's ‘Crisis Preparedness Program'; rightly named given an organization's Board of Directors or other Enterprise Risk Management group demands that a state of crisis preparedness exist. For further clarity let's attach a high level definition, role and general responsibility to each of the four components.

Emergency Response

An Emergency Response Plan describes the actions that will be taken in response to ‘specific' events and are developed / maintained / facilitated by the operational (utility) group most qualified to do so.  These would include plans for; violence-in-the-workplace - the responsibility of Human Resources; technology virus detection and eradication - the responsibility of Information Technologies; air contamination - the responsibility of Facilities Management; suspicious package - the responsibility of Corporate Security; bad press - the responsibility of Public Affairs and building evacuation - the responsibility of Safety.  This list is actually quite extensive, with the number of plans easily reaching many dozen within a mid-size organization.

Business Continuity Management

Business Continuity is just what the name implies; plans developed to minimize operational disruption to the business (with a focus on critical business functions).  Business Continuity Management is typically comprised of two response-oriented sets of plans:

1. Contingency Plans which provide an alternate / temporary means of providing key aspects of the service until the full service can be restored and,
2. Recovery Plans, which provide the methods and processes to return to a full operational status once the business environment has been restored.  Responsibility for Business Continuity Management must rest with those most qualified, business leadership and business continuity planners.    

Technology Recovery

Technology Recovery, often referred to (for some archaic reason) as Disaster Recovery, again is actually comprised of two response-oriented sets of plans:

1. Contingency Plans which provide alternate computing equipment / sites in the event the organization's primary data center is unusable and,
2. Recovery Plans, the processes implemented to restore computing to the organization's data center once it is made available.

Technology recovery should always be synchronized with Business Continuity Management to ensure the organization's priorities are being addressed.  Responsibility for Technology Recovery should be obvious; that of the only qualified group in the organization, Information Technology.

Crisis Management

Unlike the previous three Crisis Preparedness Program components, Crisis Management has multiple roles in situations that are classified as ‘crises' to an organization.  The mandate of Crisis Management is primarily response and control of a situation that threatens life safety, brand image and other assets of the organization.

This mandate also represents the absolute priorities of Crisis Management and, by far, the number one priority is ‘life safety', followed by protection of the brand image.  Simply put, Crisis Management must never, not even for a moment, consider an event's impact on the business until such time as the first two priorities are fully addressed.  While general responsibility for direction and development of a Crisis Management Program is Corporate Security, the process of response is shared between senior members of the organization's utility groups.

So for a Crisis Preparedness Program to be effective, it not only has to address these four critical in-crisis processes -- it must also be mandated by a corporate or management policy that ensures that the CPP exists and is administered at the enterprise level.

Crisis Management means different things to different people.  It's our organization's response to an emergency or crisis -- it's managing the impact of an event (crisis) on behalf of the organization and stakeholders, and it's making sure we're focused on the right priorities.

On the flip side, it's helpful to remember what it isn't.  Crisis Management is not -- minimizing the impact on the business or the ability to generate revenue.  That is the role of Business Continuity Management.  If we were only focused on the business, the outcome from our response could result in injuries or loss of life.  Can you imagine public reaction if a company was focused on business resumption and 10 employees died and many more injured?  And it was preventable?

Crisis Management can't be based on theory, and it should operate in a similar fashion to how we handle everyday problems and emergencies.  Our response in a crisis cannot be based on a specific event (e.g. fire or terrorism), but only on the impact of the event.  We'll talk more about this.

There are two fundamental operating principals applicable to every organization for Crisis Management.

A. The Structure and Role of a Crisis Management Organization

A Crisis Management Organization (CMO) mandate must be clear, and membership should only consist of people who will ensure success; not based on political or functional roles.  The CMO should have a well defined role and measurable responsibilities.  In every emergency or crisis, there are two distinctive roles:

Crisis Management Team - Decision making and in-crisis risk management
Crisis Response Team - Operational response and control of the situation 

These roles are at opposite ends of the response spectrum, requiring different skills, experience and authority - and therefore you need two different teams.

A Crisis Management Team (CMT)is made up of senior executive leadership team members, and is the highest level decision-making authority in the organization.  As senior leadership these individuals are the most qualified to make decisions and evaluate risk, regardless of whether or not the organization is in a state of crisis. 

A Crisis Response Team (CRT) is comprised of senior staff from key "utility" groups within the organization.  Representation on the CRT should only come from the following groups:

Corporate Security                      Public Affairs & Communications

Human Resources                       Facilities Management

Health Services                            Information Technology

Corporate Safety                         Business Continuity Management

There's a logical reason why the CRT should be restricted to these functional groups; they represent the people who on a day-to-day basis manage emergencies, problems, incidents and crises.  Their knowledge and experience makes them the most qualified people in the organization to recognize and act upon the priorities of Crisis Management.

B.  The Three Priorities of Crisis Management

There are 3 priorities in a crisis or emergency situation for the Crisis Management Organization:

1. Ensuring Life Safety of employees and on-site visitors,
2. Protecting the organization's Brand Image,
3. Minimizing operational disruption.

Too often the priorities are unilaterally changed depending on who is managing the response and risking critical in-crisis decisions.

There is no question that the highest priority of Crisis Management is Life Safety.  Managing a panic evacuation, accounting for employees, assisting contractors and visitors, supporting the injured, providing family assistance for those who lost their lives, and sharing threat or event information with neighbors are all vital actions to managing a crisis.  Maintaining this focus will ensure that the organizations moral, ethical and legal obligations are satisfied.  Altering this focus can create long term impacts that threaten the organization's existence. 

Brand Image is often considered one of the most important assets of the organization.  Brand Image can be evaluated from a number of perspectives, including: product image, logo recognition, corporate image, employee's view of the organization, Customer opinion, supplier judgment, media attention, global presence and public image. 

Most organizations do recognize the vulnerability of their image and how quickly it can be damaged.  How an organization responds to and manages a public emergency or crisis situation will have both an immediate and long term impact.  If the impact of an event is not effectively managed from the beginning, attempts to correct that image after the fact is a daunting task to say the least.

Minimizing operational disruption is without question the lowest priority of a Crisis Management Program.  The short term loss of revenue or a disruption to supply and services, or managing frustrated customers is far less important than experiencing loss of life (especially if it was preventable), or the long term damage to the organization's image because the response was slow and mismanaged. 

Stayed tuned for future blog postings where we will cover more ground on Crisis Management including;

• Responsibilities of team members
• Crisis Preparedness -- the difference between Crisis Management, Business Continuity, Disaster Recovery and Emergency Response
• Crisis management policy and the 10 Crisis Management standards
• Critical success factors in Crisis Management
• Taking advantage of automated in-crisis products and services
• Managing primary and secondary dependent sites
• The in-crisis role of local management
• The real purpose and value of issuing Alert Levels
• The in-crisis process (who, when, why and what)
• In-crisis decision making; making the right decision every time
• The importance of Pre-Event Response Planning
• Post crisis assessment, learning from success and failures
• Continuing education and training, the cornerstone to ongoing success

In our next blog, we'll explore what a Crisis Preparedness Program is, and how it sets the stage for: BCP, DRP, Crisis Management and all emergency response plans.

The global economic downturn has forced many organizations to reduce operating costs.  The irony is that this cost reduction has reduced security and emergency management capabilities which are required more than ever because of threats from this downturn. Here's how I see the link between the economic downturn and new and growing threats:

• Cutbacks in personnel reduces repair and maintenance activity, -- and that in turn increases the probability of service failures, delays and disruptions in North America's infrastructure.  It gets worse with each new round of cost cutting -- and telecommunication services, the power grid, other utilities and public emergency programs are all under the cost cutting knife.

• Every new round of layoffs and terminations only compounds the threat of aggression and retribution - people become afraid and angry.  It's impossible to predict people's reaction to this stress and it leaves organizations vulnerable to violence. 

• Operational risk management can fall victim to the risk itself.  We can hope that critical operational processes will be maintained despite reductions in the workforce, but we know that it's only wishful thinking.  Inevitably, risk prevention and threat mitigation initiatives will be compromised. 

• Standard operating procedures may simply fail.  As key operational capabilities are weakened, so are the standard operating procedures designed to protect employees, assets and critical business functions.  Our ability to respond to and manage a crisis is compromised.

• Shoot first, ask questions later.  We're cutting costs without understanding why these programs were created in the first place.  We're compromising the safety of employees, our brand image, and the overall security of the business because we know we need to take action - but we no longer know what the action should be.

• We're not an island. Your organization may recognize the importance of security and emergency management, but you're only going to be as effective as the organizations around you. As your neighbors capabilities weaken, the importance of your own ability to manage a crisis increases.

• Putting our guard down creates opportunity.  While we're busy focusing on reducing costs, we're creating new risks and vulnerabilities which in turn create opportunities for criminal activity that we may not be able to prevent or even detect.

• International and home-grown terrorist threats are here to stay.  Terrorism creates fear, and worse case, -- death and destruction.  But for terrorism to succeed, it needs vulnerable targets.  As we weaken our emergency management capabilities we are making it easier for terrorists to succeed.

• What about our suppliers? As our suppliers cut costs, they increase risks to our employees, our services and our customers.  And if our operational and Enterprise Risk Management capabilities are weakened, we may not be able to detect these growing threats.

• Two things for sure.  When employees are worried about losing their jobs, productivity goes down and the rumor mill goes into high gear.  A simple statement can trigger rumors which impact employees, customers, suppliers, the media, and others (residents, students, members of associations).  Managing these rumors and speculation is only as effective as your organization's emergency management and mass communication capabilities.
  
  We can't prevent these new and growing threats, but we can mitigate their impact with our actions.  These actions are doable through a cost effective emergency management capability -- a Crisis Management Program.  

The need for Crisis Management is growing exponentially - you can't do without it in this environment.  Every organization can manage these risks, and in many cases actually reduce costs.  While we may not be able to create a complete ROI, we should be able to come close.

What are the critical factors? What are organizations experiencing in today's environment?  What are you seeing?  How do we look at Crisis Management differently in this economic downturn and - and what are the success stories in overcoming the challenges? How can the use of automated emergency management tools make the difference?

These are the things I'll be digging into, along with guest bloggers from the emergency and crisis management industry.  I hope you'll join me in this blog and I look forward to your perspective on the situation.  We live in interesting times...

Dennis Hamilton