When I'm talking with people about Crisis Management there are 2 big questions that always seem to come to the surface - What is Crisis Management, really? - And who should be responsible for it in my organization?
I love talking with people about this, after all it's my favourite subject. The first answer is predictable -- it depends. If you're a small organization, Crisis Management probably means a number of things: emergency response, business continuity management, technology recovery, health and safety and a great deal more -- all of it rolled up into a single set of processes, managed by a single person or department (usually someone from IT or Facilities).
This approach may work in small organizations, but there are big-time challenges in a mid-size or large organization. The politics alone can drive this approach to fail. Add in a more complex organizational structure, a large number of employees, multiple sites, industry or government regulations, enterprise risk management requirements, etc. etc. and now you really need some serious structure!
But what does the term Crisis Management really mean?
Crisis Management is a policy driven enterprise program comprised of resources, processes and services that effectively manage an organization's response to an emergency or crisis situation; while being directed by priorities of life safety and employee support, protection of the organization's brand image and minimizing operational disruption.
In a previous blog posting (The Building Blocks of Crisis Management) I discussed in detail the need to have the most qualified people in your company participating and responsible for Crisis Management (the Crisis Response Team). If you go through an assessment in your Company you'll probably find there are a number of functional groups that truly are the most qualified. These include: Corporate Security, Human Resources, Public Affairs, Facilities Management, Safety, Health Services, Business Continuity Management and Information Technology. I list these groups partly because that's what they do every day -- they manage problems, emergencies and crises of various sizes. If we did not have problems, emergencies and crises we would not need half the people in these functional groups and in some cases, we wouldn't need the department at all.
Please take note that I did NOT list business leadership as members of the Crisis Response Team. Their participation on the Crisis Response Team will redirect valuable time and attention to business issues; while employees and/or the company's brand image could be at risk. Business leadership should focus their attention to Business Continuity Management only.
Now, if those functional groups listed above are the ones who should participate in Crisis Management (your Crisis Response Team), whose responsibility is it to develop the Crisis Management Program, implement it enterprise-wide, secure the required support services and ensure operationally it is compliant with policies and standards?
The answer is easy, Corporate Security. Why you ask?
- They are the most qualified and best trained in emergency response.
- They are the most knowledgeable on the most probable of threats and risks (physical events).
- They typically operate on a 24x7 basis, making them the only readily available resource.
- They are usually the first to know of a threat or event and most often they have first response accountability.
- They are or at least should be very influential with the executive decision makers to ensure there is political and operational support for a Crisis Management Program.
- They have easy access to every business unit to garner the required support.
- They are the best positioned to effectively work with external emergency services and agencies.
- And, quite simply, it's their job.
But it's important not to see Corporate Security in a dictatorship role when it comes to Crisis Management. While they should be responsible for creating and implementing Crisis Management, Corporate Security's role during a crisis is one of facilitation and coordination of the Crisis Response Team; a team that should operate on a principle of "majority rules decision making" - and that's another good topic for a future Blog.
Clearly the role and responsibility of Corporate Security is evolving at a rapid pace. Boards of Directors, Executive Management and other key Stakeholders are recognizing threats and disruptive events are increasing both nationally and on a global basis -- and increasing the risk to employees, the brand, operations and the organization as a whole. Virtually every Enterprise Risk Management assessment now concludes that the role and responsibility of Corporate Security must continue to evolve to protect the stability and survivability of the organization.
While Corporate Security has a number of responsibilities, few are more critical than that of Crisis Management.
