What is a Crisis?? and do you have a plan?

“A disruption that physically affects a system as a whole, and threatens its basic assumptions, its a subjective sense of self, it esistential core.”

Researchers Thierry C. Pauchant & Ian I. Mitroff

A crisis in not exactly the same as a problem. A problem is  commonplace occurence and fairly predictable and can usually be addressed within a limited time frame, often without arousing any public attention or without drama (according to our book Public Relations: A values driven approach). A crisis is less predictable, it requires a cosiderable investment of time and resouces to resolve and often bring unwanted public attention; along with that it can challenge an org’s core values.

The question to be answered for most companies is do you have a crisis plan?

So how do you plan for the unknown?

On Continuity Centra’s website they give a two step process for crisis management created by Andrew Fernandez, who works for Dell inc., USA as a Manager-global business continuity. This is the two step process he prepared for this company.

Phase 1 – Pre planning (Risk assessment and mitigation)
The pre-planning stage follows the usual business continuity development cycle, which has been developed over time and ratified by bodies such as the Business Continuity Institute and the Disaster Recovery Institute International. However, the documentation available to explain how to develop a business continuity plan can be fairly extensive. My simplified version is as follows:

Step one KNOW your risks!! Risk is a very broad term, but here is a very simple way of breaking it down into bite sized pieces:

* Get your senior management team into a room;
* Identify all risks (internal and external) that can potentially impact your organization;
* Group ALL known risks into two categories – high probability, low probability;
* Assign downtime tolerance against each probability (Downtime should be restricted to three timelines: less than one business day, 1-2 business days, 2-7 business days);
* Identify the potential impact of a risk event on the business – high or low (notice there is no medium!).

Step two – ALL high probability risks should have a LOW impact. If NOT, your business is really in dangerous waters!! If any high probability risks turn out to have a high impact, then it is very important that an operational solution is put in place absolutely as soon as possible.

Step three – Get management prioritization for low probability/high impact risks, to ensure that as a business there is a clear consensus on what business continuity activities should focus on. Not sure where to start? Concentrate on the top three unaddressed risks with the highest impact.

Phase 2 – Crisis assessment and management planning (Incident resolution)
For starters, the crisis will need to be managed either by location and/or by business function and to manage it the team must be predefined and members must be clear about their roles. A crisis management team needs the following to be in place to be effective:

Role one: There must be clearly identified ‘assessors’ (along with back-ups to these people) whose sole mission is to be able to assess the business interruption impact and provide feedback to the incident management team.

The assessor is the eyes and ears of the business and clearly needs to have the expertise to understand and assess the impact to the infrastructure and people. Assessors typically represent functions such as HR, Security EHS, and Operations. Based on the size of the organization, they can perform their functions individually or as a group. If they work as a group, they would typically form the ‘Site Response Team’. Their core responsibilities are to:

* Analyze and assess incidents.
* Resolve incidents; and if no resolution is possible immediately, to escalate.
* Provide recommendations.
* Execute actions to facilitate the return to a state of normality.
* Coordinate the return to normal operations once the threat has been concluded.
* Initiate a post incident review to provide feedback – what went well/what did not work, areas for improvement etc.

Role two: Identify a group of senior executives whose role is to receive the feedback provided by the assessors. Depending on the size of the organization this can be one individual or more, or a group of individuals. Either way their role is to perform crisis management and hence they are what we typically know as the crisis management team.

This team or individual (s) are authorized to approve recommendations given and are mainly involved in the crisis management process because they have their finger on the pulse of the business and can gauge the impact that the interruption will cause to the organization and business activities in general. Core responsibilities for this team or individual(s) are:
* Provide guidance to the assessors.
* Receive recommendations and provide approval and direction.
* Be accountable for the direction provided.

Role three: Irrespective of the size of the organization, you must have a person designated to drive internal and, if required, external communication efforts. One of the fundamental flaws in many crisis responses is that an overdose of information is provided but with no real focus to the communication. Effective and proactive communication will create and build the perception that the organization is under control; that the company knows and understands what is happening; and that it will resolve the situation. No matter how big or small an organization, creditability can be gained or lost during a crisis.

For an organization that has multiple sites, or multiple locations, replicate the above process. Remember you must have eyes and ears on the ground. Speed is of the essence. Some points to consider are:

* If you have a cluster of buildings that is considered one site, your team needs to decide whether they need to have an assessor per building or per site;
* If you have sites in different locations/cities you must have a separate site response team. You may be able to work with one crisis management team as long as the site leads are part of the crisis management team.
* If you have sites in multiple countries, and regions, it is strongly recommended that you have regional crisis management teams and country specific response teams.

~ by aprwade on 11/02/2009.