Add to Technorati Favorites
Crisis Management Blog

ERMS Blog

About the Authors


 Derek Hemington, ERMS


Derek Hemington


Dennis Hamilton CRPC

 Dennis Hamilton

Subscribe by Email

Your email:

Browse By tag

Most Popular

Browse By Date

Add to Technorati Favorites

Crisis Management and Emergency Notification Blog

Current Articles | RSS Feed RSS Feed

8 Reasons Why Corporate Security Should Own the Crisis Management Program

Posted by Dennis Hamilton, FBCI (Hon) on Fri, Jun 05, 2009 @ 03:10 PM
Submit to Digg digg it |  Add to delicious  delicious |  Submit to StumbleUpon StumbleUpon | Submit to Reddit reddit 
 

When I'm talking with people about Crisis Management there are 2 big questions that always seem to come to the surface - What is Crisis Management, really? - And who should be responsible for it in my organization?

I love talking with people about this, after all it's my favourite subject. The first answer is predictable -- it depends. If you're a small organization, Crisis Management probably means a number of things: emergency response, business continuity management, technology recovery, health and safety and a great deal more -- all of it rolled up into a single set of processes, managed by a single person or department (usually someone from IT or Facilities).

This approach may work in small organizations, but there are big-time challenges in a mid-size or large organization. The politics alone can drive this approach to fail. Add in a more complex organizational structure, a large number of employees, multiple sites, industry or government regulations, enterprise risk management requirements, etc. etc. and now you really need some serious structure!

But what does the term Crisis Management really mean?

Crisis Management is a policy driven enterprise program comprised of resources, processes and services that effectively manage an organization's response to an emergency or crisis situation; while being directed by priorities of life safety and employee support, protection of the organization's brand image and minimizing operational disruption.

In a previous blog posting (The Building Blocks of Crisis Management) I discussed in detail the need to have the most qualified people in your company participating and responsible for Crisis Management (the Crisis Response Team). If you go through an assessment in your Company you'll probably find there are a number of functional groups that truly are the most qualified. These include: Corporate Security, Human Resources, Public Affairs, Facilities Management, Safety, Health Services, Business Continuity Management and Information Technology.  I list these groups partly because that's what they do every day -- they manage problems, emergencies and crises of various sizes. If we did not have problems, emergencies and crises we would not need half the people in these functional groups and in some cases, we wouldn't need the department at all.

Please take note that I did NOT list business leadership as members of the Crisis Response Team. Their participation on the Crisis Response Team will redirect valuable time and attention to business issues; while employees and/or the company's brand image could be at risk. Business leadership should focus their attention to Business Continuity Management only.

Now, if those functional groups listed above are the ones who should participate in Crisis Management (your Crisis Response Team), whose responsibility is it to develop the Crisis Management Program, implement it enterprise-wide, secure the required support services and ensure operationally it is compliant with policies and standards?

The answer is easy, Corporate Security. Why you ask?

  1. They are the most qualified and best trained in emergency response.

  2. They are the most knowledgeable on the most probable of threats and risks (physical events).

  3. They typically operate on a 24x7 basis, making them the only readily available resource.

  4. They are usually the first to know of a threat or event and most often they have first response accountability.

  5. They are or at least should be very influential with the executive decision makers to ensure there is political and operational support for a Crisis Management Program.

  6. They have easy access to every business unit to garner the required support.

  7. They are the best positioned to effectively work with external emergency services and agencies.

  8. And, quite simply, it's their job.

But it's important not to see Corporate Security in a dictatorship role when it comes to Crisis Management.  While they should be responsible for creating and implementing Crisis Management, Corporate Security's role during a crisis is one of facilitation and coordination of the Crisis Response Team; a team that should operate on a principle of "majority rules decision making" - and that's another good topic for a future Blog.

Clearly the role and responsibility of Corporate Security is evolving at a rapid pace.  Boards of Directors, Executive Management and other key Stakeholders are recognizing threats and disruptive events are increasing both nationally and on a global basis -- and increasing the risk to employees, the brand, operations and the organization as a whole.  Virtually every Enterprise Risk Management assessment now concludes that the role and responsibility of Corporate Security must continue to evolve to protect the stability and survivability of the organization.

While Corporate Security has a number of responsibilities, few are more critical than that of Crisis Management.

 

Tags: , ,

COMMENTS

While I have generally found the information on your blog of interest and a source of useful information I am afraid I have to disagree on the whole with your assertion that Corporate Security should be responsible to develop and implement a crisis management program. You have provided eight reasons that you believe this to be the appropriate approach… I would like to respond to each in kind. 
1. You have indicated that Corporate Security (CS) are the most qualified and trained in emergency response. 
 
This is arguable. Certainly some CS personnel may have received training in emergency response, but this is rarely a large portion of security guard training programs and when you refer to emergency response you are, I assume, referring to only one of the five pillars of Emergency Management (Prevention, Preparedness, Mitigation, Response, and Recovery). This actually illustrates why the crisis management program actually would be better managed in the overall context at the corporate level. I agree with Canton’s assertion in Emergency Management: Concepts and Strategies for Effective Programs that: “Comprehensive Emergency Management is a Strategic concept, not a tactical one…”, (Canton, L.G., 2007) 
 
2. Your second point, that CS are the most knowledgeable on the most probable of threats and risks (physical events), fails to consider all of the facts. Yes, physical events are probable, but again, the CS folks are likely unaware of the impact of technological disasters (including such threats as cyber-terrorism, widespread power outages) or of economic, environmental, or natural disasters. Further, it is critical that an emergency manager has an understanding of not only the physical threats but the social and psychological impact of emergencies on staff members. When you look at economic impact, and overall impact on people (and all companies rely on their people) natural disasters such as flood, drought or hurricane have historically had a far greater effect upon, and far more long term effects on a company’s ability to continue to operate than a physical security breech.  
 
Regardless, the management of risk, no matter who is responsible, starts with a detailed hazard analysis to identify, and then to develop a strategy to avoid, or mitigate the identified risks. It makes no difference then whether they are risks already known to CS… if the job is properly done it will identify ALL risks (an all-hazards approach). Again, there is no particular advantage to CS having this management responsibility as the focus has to be on analyzing all risks regardless.  
 
3. With regard to your third point. Yes, some CS departments operate 24x7. To say they are the only available resource is not entirely true. One phone call and the corporate emergency manager (in fact the entire crisis management team) will begin to act. 
 
4. To suggest that they are usually the first to know about an event is arguable. If the event is an earthquake I would presume that they are simply among the first to know. And this does not necessarily put them at an advantage. The second statement you have made, that they have first response accountability is correct. But the CS responsibility is largely to secure the corporate facilities and assets. This is what security personnel do well, what they are trained for and what they should be free to do when a crisis happens. Placing the responsibility upon them to also oversee the crisis management program can create conflict in terms of resources. Essentially what I am suggesting is… let CS do what CS does best. 
 
5. Your point regarding influence with decision makers is well taken, however the corporate emergency manager should, and likely would (presuming an appointment to this post by senior management) have the same influence. I suppose my argument here is that a well trained and experienced emergency manager would be able to bring a more holistic approach to the program.  
 
6. Again, to suggest that Corporate Security have some exclusive access or even better access to resources within the organization is dependent upon the particular organization. Garnering support from within the organization can be done no matter who is in charge of the program. Because the crisis program would typically operate under the authority of the senior management it makes no difference to the participants regardless of who has responsibility to lead the process. 
 
7. CS may be able to effectively interface with external emergency services. You have not defined the ‘other agencies’. I assume that this may include a variety of support agencies from housing, to social services, to landlord or leasing companies, to telecommunication and energy providers, and insurance providers. The responsibility to resume or significantly alter corporate operations or to deal with staff members who may have family or personal challenges during an emergency are very far from the average training or experience of CS staff. The ICS model is not a bad example of a way to engage the team approach to crisis management. Done well this provides a well organized approach to safety, planning, response, logistics, finance and communication during emergencies. You have rightly suggested that having involvement from the various departments within the company in the crisis management team is important.  
 
8. You have said: It’s their job. Quite simply… it is not. Or at least it should not be without taking into account the needs of the overall program and whether the CS management personnel are properly trained in or capable of filling the (program) management role. 
 
Overall I believe we are using too narrow a lens if we look at a crisis (only) management program. Surely the job of corporate management is to manage the entire business. The management of crisis is simply another management function, albeit a critical one when an emergency happens. But to look at crisis in isolation and to not consider the bigger picture in terms of an overall emergency management program can lead to failure.  
Canton makes an important assertion in his chapter dedicated to defining the Emergency Manager. He examines some of the functions of preparedness and cautions against defining the Emergency Manager by the role… He says, “it is easy to confuse the technical knowledge required of the emergency manager with the tasks that are required under the program.” 
He goes on further to suggest that, “the role of the emergency manager is no longer that of a technocrat with highly specialized skills in emergency response but is rather that of an administrator with responsibility for overseeing the development of an enterprise-wide emergency management program.” 
The emergency management profession has, and continues to develop from an historical root in the civil defense era where the emphasis was clearly on preparedness, into a program management role. If we get away from defining emergency management as a discreet process (done by one person) and understand that it is actually a distributed process with involvement from many facets of business leadership, senior management, specialist departments, and yes, even CS… the emergency manager is actually the program manager who acts to facilitate the overall goals of the emergency management program. This allows us to address all five areas of disaster management and to re-frame our thinking from a response mindset to a holistic approach. 
 
Thanks for allowing comments. 
 
 
 
 

posted @ Sunday, July 11, 2010 12:07 AM by Brent Bauman

Post Comment
Name
 *
Email
 *
Website (optional)
Comment
 *

Allowed tags: <a> link, <b> bold, <i> italics