Crisis Management Teams Should Always Have a Toolkit That Supports Them During the Crisis.
One of the questions that I get asked most often is “what are some of the most common mistakes you see as you visit various clients?” Other than companies not being committed to exercising (another article, another time) my biggest concern is with companies that treat crisis management as something that they would pull together in an ad-hoc fashion. They may have a Crisis Management Plan, but they don’t treat crisis management as a Program – and therefore aren’t developing, exercising, measuring and refining their tools. Ideally, your Crisis Management Team has these six tools in their tool belt.
Tool 1: A Crisis Management Program
In 2017, I had the opportunity to present a webinar for ICMC called “Creating a Crisis Management Plan”. In that webinar I stated that it is the Crisis Management PROGRAM that is the most critical component, and that the Crisis Management PLAN is produced as a result.
When companies make a commitment to treating crisis management as a program, not only do they write a Crisis Management Plan, they develop a complete toolkit that meets their needs during a crisis. Further, they build and improve their tools, they practice using them and as they mature, they become increasingly more prepared for a crisis.
Your program should include components for program measurement, reporting, exercising and training & awareness and must have the commitment of executives and senior business leaders. Companies that work to mature their program, build a solid foundation for dealing with disruptive events.
Tool 2: Business Impact Analysis (BIA)
You may be curious about this one, but I can’t overstate the importance of BIA data in the development of your Crisis Management Program. Traditionally, during the BIA workshops, we identify what the critical business functions are and we understand what the impact would be to the business if those functions got interrupted. But too often the information gathered isn’t used to its full potential. We focus on RTO / RPO and we might use the data in business continuity plans. But once you’ve collected BIA data appropriately, your teams should be developing preventative and responsive controls to mitigate and manage threats and incidents.
Note: I’ll be speaking about how to effectively use BIA data at the 2018 ICMC Conference in Boston. Click here to learn more about this excellent conference.
Another common gap in BIA data collection is related to Risk. I’ve seen several BIA data models that don’t address risk at all. As a result, we end up with an all-or-nothing approach to impact measurement. Impact becomes based on a total loss of the specific business function. But if the business function has key risks that have a higher probability than “total loss”, why wouldn’t be assess the impact of those risks and build our plans with those things in mind?
Tool 3: A Standardized Response Protocol
I don’t believe in writing scenario specific Crisis Management Plans. While you may want to address specific threats such as cybersecurity, terrorism or hurricanes (depending on your location), I firmly believe that organizations should have a common response protocol, regardless of the type of incident. There are several different approaches to incident response. If you search for ‘incident response steps’ you will find a variety of five, six, seven and even ten step plans that you can incorporate into your response protocol. We’ll let those folks argue over how many / which steps to include. In the mean-time, make sure your response protocol, at a minimum, covers the following points:
- Make sure your response is based on the culture, size and needs of your organization. Cookie cutter plans are not the answer.
- Incorporate alert procedures, monitoring techniques and other ways that your team will be notified of a potentially critical incident.
- Triage / Investigation. Get subject matter experts involved as quickly as you can so that they can identity exactly what happened and work to determine the impact the incident has on your organization. After this phase the team will classify the incident and determine if they need to engage the Crisis Management Team. If the situation is less critical, the responding team will work to contain the situation per their normal protocols. If they are responding to a major incident, they will work within the guidelines of the Crisis Management Plan.
- Define how you will gather the Crisis Management Team and what their initial response looks like.
- Reporting / Lessons Learned. I am a firm believer that every incident is an opportunity to review your protocol and identify ways to improve it. Even “near miss” situations allow you to evaluate your readiness and adjust the protocol or improve the training of those involved.
Tool 4: A Crisis Management Plan
The response protocol identified in Tool 3 will be one of your most commonly used tools because it will be used for a multitude of incidents of varying impact levels. But when you’re responding to a major incident and you’ve engaged the Crisis Management Team, you do not want them coming to the table without a specific course of action.
Make sure your Crisis Management Plan includes the following components:
- Clearly defined roles and responsibilities. Think about the people you are bringing to the table. Senior executives typically have strong leadership skills and personalities to match. Make sure each member of the team understands what they are accountable for and focus them accordingly. Conducting regular exercises helps drive this key point home. Consider using RACI charts to outline responsibilities.
- Initial Response. Define the procedure for calling the team and getting them to the table as quickly as possible. I like to build an agenda for the initial meeting into the plan so that the person facilitating the session knows exactly what to cover and that the team gets a clear picture of the situation. Have an appropriate command center with the necessary support tools to help the team succeed. If you’re planning on using a conference bridge, include those details in the plan.
- Guiding Principles. Typically, the last item that I include in the initial response agenda is to determine next steps. While this is incident specific, you can still provide guiding principles to teams who are commonly engaged. For example, you can layout a list of things your Human Resources Lead can do to ensure the safety of your employees or define a series of steps your Technology Lead can perform when dealing with a major IT incident. Also include guiding principles for your Communications, Cyber and Privacy Leads. Think of these as general reminders to help make sure critical responses don’t get ignored.
- I can’t emphasize enough the importance of clear, concise, accurate and timely communications during a crisis. Engage your communications team as part of the preparation phase and diligently define your communications protocols.
Your Plan doesn’t have to be huge – in fact I encourage you to keep it lean. I’ve used this analogy before, but I like the plan to resemble a race horse. A fat horse will never get around the track. A pony isn’t big enough to keep up. Make sure you plan is fast, focused and responsive.
Tool 5: Impact Profile
An Impact Profile is a tool that your Crisis Management Team can use during an incident to gain insight into the type of impact to expect. The profile is based on information gathered during the BIA where we identified critical business functions, staff, work location, system requirements, single points of failure and the impact associated with various risks. By cross referencing the information, the team can easily see a prioritized list of affected business functions resulting from the loss of a system, facility or other key resource.
You can think of the information that comes from the Impact Profile as you would a hurricane warning. The hurricane warning takes a specific set of data (storm conditions, wind speed, location, path, etc.) and issues watches and warning accordingly. The Impact Profile works in a similar fashion. You know the location and conditions of the incident. Your Impact Profile can filter BIA to select ‘in scope’ business function and can show impact to the business over the estimated duration of the situation.
Tool 6: Critical Templates
The use of templates during a crisis increases your team’s ability to act quickly. Here are three key templates to include in your toolkit:
- Have pre-written press releases, employee notifications and customer notification templates that leave room for you to fill in the specific details of the incident. Having used these templates in countless exercises, I have seen extremely well written press releases put together in less than five minutes. The same information used in the press release can be included in updates to your staff and/or customers. The key to crisis management is good communications and you don’t need to fumble with trying to develop this from scratch at time of crisis.
- Incident Action Plan (IAP). Every situation is different, and it would be impossible to build an action plan before the incident occurs. But you can build a template for the IAP and fill in the details as part of the “next steps” portion of your initial response meeting. Allow the IAP to change as details change or new information is gathered.
- Action Logs. You will want to keep track of specific action items, decisions and communications that take place during your crisis response. Document communication a key party, what the message was and the date/time of the conversation. Track the assignment and completion of specific tasks to help document the response. This could be helpful if the situation leads to legal action and it will assist with your lessons learned evaluation after the incident is closed.
Every organization has different needs and there is no cookie-cutter solution to crisis management. There are however, certain best practices that we all can follow to help our response be focused, thorough and responsive.
By utilizing these six tools, you will be on the path the making your organization crisis ready.