Most organizations pay some level of attention to crisis response, often times through siloed functions aligned only informally, task organized under a conceptual “Corporate Incident Management Team” (CIMT). Functional policies and procedures are developed addressing the four recognized phases of crisis response (Mitigation, Preparation, Response, and Recovery), with accountabilities falling to Corporate Security, Information Technology/Security, Business Continuity, Business Intelligence, Facilities Management, Corporate Risk, or others. Plans may address a myriad of critical incidents, natural disasters, cyber incidents, civil unrest/protests, public health emergencies, and hostile acts by humans, among others. Response plans are often drilled, testing employee preparedness and emergency response by security, law enforcement and emergency services. Recovery plans are discussed and refined, and even tested, through periodic tabletops or exercises with participation of the CIMT.
Even with all those functions at full capacity with dedicated staff, well placed mitigation strategies, robust resources, proper funding, and well-conceived policies and procedures, an organization is still at risk of being purely reactive in crisis response mode, instead of the preferred alternative: a proactive crisis management posture. Though crisis management includes all those things, it additionally requires a deliberately integrated framework and, more importantly, a leader empowered to bring all those capacities together.
In transitioning from crisis response to crisis management, an organization should commit to five critical proactive measures: (1) establish what defines a “crisis”, (2) consider crisis in the context of the organization’s priorities, (3) anticipate potential crisis conditions through analysis, (4) establish decision points for potential crisis conditions, and (5) arrange for planned intervals during which crisis management leaders and teams meet to assess the current threat environment and potential crisis conditions.
Transitioning from reactive to proactive - from response to management - an organization should first broadly define “crisis”. An enterprise, line of business, function, region, or site might experience tragedy, emergency situations, kinetic events, or financial loss in the form of lost or delayed productivity or data availability, etc. These situations though may not be a “crisis.” Consider a large multi-national corporation headquartered in the US, with 100K employees working in 150 countries task organized into four global regions. Each region is managed by a regional corporate office, overseeing research and development sites, distribution centers, and manufacturing and logistics hubs. An overnight structure fire that completely destroys a single distribution hub, or even a manufacturing site, may be perceived as a “crisis” by those experiencing the incident in real time, but does it raise to the level of a corporate crisis, or even a regional crisis? If that fire results in loss of life, damages neighboring residences or historical sites, or causes contaminated air or even simply foul-smelling air to permeate the area, the organization would look at things differently.
A good starting point for an organization is to consider crisis as an adversarial threat act or a natural or man-made event or incident, the acute impact of which severely disrupts business or causes a sustained disruption to the organization’s business efforts or reputation. Decision makers should consider crisis and business disruption in the context of what the organization holds most dear, reviewing crisis in consideration of people, places, things, information, processes/productivity, brand reputation, and high-level leadership. Specific definitions might be further determined in this context, and/or specific to the function, region or site.
A predictive analytical capacity is key for any organization to catch a crisis before it happens. Data, metrics, indicators, and professional analytical products – along with normal corporate reporting, are all useful tools for leadership teams in predicting crisis or, at the very least, being prepared to manage crisis. One approach is to ensure a framework by which the organization is constantly analyzing their environment in an effort to anticipate potential crisis conditions. Leadership at the corporate, functional, regional or site level(s) are provided regular intelligence and advisory reports on threats or conditions that might provide insight with regard to potential crisis conditions. Reporting might include analysis and data on broad issues like brand reputation and public opinion/perception, employee behavior and performance, environmental health and safety statistics, insider threat and data loss incidents, annual active shooter trends and statistics, and geopolitical assessments on regional stability and economic issues. Each accountable functional element should monitor and analyze their data and feed decision makers key information to paint an overall “risk picture.” The key differentiation here is that reporting should not be assessed in a vacuum by the accountable function alone – but shared and assessed broadly and perhaps formally.
An organization should establish decision points that require leadership to analyze the potential for a crisis, adjust or augment mitigation strategies, and prepare for a response and recovery. Examples of decision points may include simple narratives like “indigenous terrorist groups successfully target a western private sector/business office or site, resulting in a loss of life” or “wild fires have quickly spread in size and severity and are in proximity to corporate facilities or residential areas in which employees or American expats live” or “host nation security forces have committed to sustained arrest operations targeting western media and business executives” or “commercial carriers have cancelled flights in and out of regional airports.” Each of these situations would point to conditions ripe for a crisis, meriting thoughtful discourse by the accountable leadership teams, with input from subject matter experts and functional leads. The resulting action may simply be “we will continue monitoring” or it may be “we are going to suspend certain operations, etc.” Decisions may be made to pre-position supporting staff, assets, and structure as necessary, re-align production, stand up alternate work-sites, bolster physical or cyber security, commence proactive messaging, marketing and corporate communication activities, etc. Decision points should be established at scale to the organization – at the enterprise, line of business, functional, regional, and/or site levels. Regular reviews should be required in the context of the crisis environment of the prior year, including a review of associated mitigation actions, response plans, and recovery and continuity capacities. If a Crisis Action Team responsible for a specific international region convened to discuss a tripwire which had been reached, that meeting and any course of action determined to address the tripwire should be documented and shared broadly.
A final consideration leading toward crisis management is to make the conversation a regular one; institute a process by which crisis management leadership at scale regularly meet to discuss the overall crisis environment, ongoing mitigation strategies, and common or regularly occurring events that would be ripe for targeting by adversarial threat actors or most naturally vulnerable to disaster; keep the dialogue on crisis constant and relevant. An example might be a quarterly meeting of an executive Crisis Management Team, mirrored by subordinate leadership teams overseeing lines of business, functions or regions. Each regularly scheduled meeting might include an agenda of items required for annual or quarterly discussion, such as the political stability in the region, criminal and terror threat actors, major natural disaster trends or seasons, the current public perception of the organization and brands, public perception of any current or former brand ambassadors, targeting trends of IT infrastructure and the convergence of cyber and physical threat actors and security mitigation strategies, etc. Other agenda items might include upcoming corporate events, holidays, corporate travel, marketing campaigns, employee relation issues, etc. Meetings might be virtual, held via automated collaboration applications, mobile applications or e-mail.
Some final considerations to this approach are to review and use available technology and automated data analytics and process tools, maintain agility in collaboration by sensible use of group messaging and mobile notification applications, and to balance the requirement for reporting from field or regional sites with empowerment and trust in their management of process.
Proactive crisis management elevates an organization’s resiliency and positions leadership across the enterprise to best identify crisis ahead of time while still maintaining stalwart programs in mitigation, preparedness, response and recovery.
Author: Matthew Hollar.
For more information about Fidelis Global Group, LLC and our services visit our website, contact us or follow us:
Website at https://fidelisglobalgroup.com