Unit 3.1: Crisis Management Plan

What is Crisis Management?

Crisis management is the application of strategies and tactics developed to help an organization cope with a sudden and significant negative event that threatens to damage the organization or its stakeholders.

Prevention of any potential crises includes creating a crisis management plan, assigning a crisis management team and performing exercises for implementing the plan.

Crisis Management Plan (CMP) is a document that:

Documents crisis governance structure of an organization.

Provides a detail overview of the roles and responsibilities of employees and management during crisis.

Guides Management into controlling and managing all phases of a crisis and assists them to take quick and relevant actions as per the situation.

Describes the processes, actions and resources an organization will use to respond to key threats and any critical situation. Ensures efficient management of the resources.

Assists in coordinating an appropriate management response reducing instability and uncertainty amongst the employees, ensuring accuracy and on time communication flow.

Considerations in preparing a Crisis Management Plan

Process Flow – Steps in Developing and Maintaining a Crisis Management Plan

3.1.1 Assess Company Threats

3.1.2 Develop a Crisis Management Plan

Establish detailed action plans for identified crises

Define the necessary controls to ensure that crisis response does not compromise product/service safety

Identify availability of resources and determine back-up sources for critical systems

Define key performance indicators (KPIs) to monitor plan effectiveness

3.1.3 Test the Crisis Management Plan

3.1.4 Monitor threats and review the Crisis Management Plan


3.1.1. Assess Company Threats (1)

When developing a crisis management plan the first step is to identify the threats relevant to your organization and your industry and then assess the likelihood and the severity of the impact should these threats materialize. 

Describe the risk scenarios your organization could face. This will help you get a more concrete sense of these potential occurrences and help your planning. Don’t include every possible risk but rather cover a wide range.

Considering these in your Plan preparation ensures that your crisis response capability will include actions that apply to the most probable crises. 


3.1.1. Assess Company Threats (2)

Some common threats are included, but are not limited to, in the table on the left.

Identify those related to your organization and analyze them in depth, considering the typical risk assessment approach.


3.1.1. Assess Company Threats (3)

After having identified your organization main threats, assess them for likelihood to occur and the expected severity of the impact.

Below is a sample risk analysis matrix to use in your assessment.

Then prepare mitigation actions to minimize the risks as well as response actions scenarios how your organization will respond to each of these threats occurring. Analyse issues and areas of concern and make detail planning, to be considered and included in your Crisis Management Plan.   

“In crisis management, be quick with the facts and slow with the blame.”

Leonard Saffir, Public relations executive

3.1.2. Develop a Crisis Management Plan (1)

Before you start documenting the crisis management plan, you should review the results of the organization’s Business Impact Analysis and Risk Assessment (previous slide), as well as the Business Continuity Strategies and solutions along with other relevant information from IT disaster recovery and emergency management, as identified in Business Continuity Management effort.

3.1.2. Develop a Crisis Management Plan (2)

Based on the results of these, select crisis response strategies that suit your organization to ensure that your crisis management plan meets recovery requirements.

An effective crisis management plan includes a variety of elements related to personnel, resources, facilities, employee health and safety, business operations management, resource coordination and communications.

Once crisis response strategies have been selected,  review and map out stakeholder communication and information on critical messaging required during the crisis. This is managed through a crisis communication plan which consists part of the crisis management plan and is important for keeping management, employees, authorities and the public informed about the organization’s response to the emergency. Having completed the above, you can start writing the Crisis Management Plan.


3.1.2. Develop a Crisis Management Plan (3)

An effective crisis management plan should address each of the elements in the tables although its content will vary according to the needs and strategies of the organization.

3.1.2. Develop a Crisis Management Plan (3)

Review and Approve the Crisis Management Plan

When the crisis management plan is complete and ready for introduction, review the plan with members of the crisis management team and key stakeholders to confirm that its structure and content meet the organization’s priorities and requirements and is consistent with the organization’s culture.

Once this is confirmed then the crisis management team leader can formally approve the plan and distribute it to everyone involved in it.

Maintain and update  the Crisis Management Plan

Crisis management is an iterative process which means that it should be updated and renewed annually (at least) or whenever significant changes occur in the organization.

“In crisis management, be quick with the facts and slow with the blame.”

Leonard Saffir, Public relations executive


3.1.2. Develop a Crisis Management Plan (4) Establish detailed response action plans (1)

Review and Approve the Crisis Management Plan

Usually, people respond to crises with confusion, so it is important to make sure your plan clearly identifies the triggers that consist a crisis and includes the relevant procedures and the action plans.

•Proactively prepare action plans for foreseeable risks and threats that will help the organization respond to specific crisis scenarios, including what resources will be required and how employees can help.

•Life safety is always priority when an emergency occurs. As a minimum measure, every facility should have an emergency plan for the protection of employees, visitors, suppliers and anyone else on the premises, including building evacuation actions, protection from severe weather or natural phenomena, and protective actions in case of violence.

•Develop communication protocols and procedures to alert first responders ( public emergency services, management and trained employees)


3.1.2. Develop a Crisis Management Plan (4) Establish detailed response action plans

A generic response structure as below usually fits to respond most of the scenarios.
Crisis Management preparation:
Make sure you have a Crisis Management Plan in place before facing an actual crisis


Crisis Management:
– Warning – Crisis detection: It is impossible to predict when or if a crisis will occur, but you can observe or look for warning signs as an employee’s behavior, changes in the weather, or the company’s financial situation.
– Information collection: Gather as much and accurate information about the event as possible to facilitate planning and decision making.
– Crisis management Team notification & activation: Notify the Crisis Management Team and provide them with all the necessary information to assess the situation and make decisions.
– Assessment of the situation: The CMT will assess the impact the situation might have on the business, employees or customers.
– Decision making: The CMT will decide on activating the recovery plans and the communication plan
– Implementation of decisions (Activation of Recovery Plans, relocation of employees, etc.) and communication to inform everyone about the crisis and initiate actions.
The recovery teams involved in rectifying the crisis implement the chosen recovery plans.
– Return to normal operation: after everyone involved in resolving the crisis has fulfilled (or nearly fulfilled) their tasks, the crisis is brought under control and the necessary plans and actions to return the business to normal can begin.


Post-crisis review and recognition of lessons learned: Analyze the results of the crisis recovery management and determine how the situation was handled and what changes should be made to the crisis management plan to prevent another similar situation in the future.


3.1.2. Develop a Crisis Management Plan (4) Define the necessary controls to ensure that crisis response does not compromise product/service safety

(1)

When planning actions for response to crises, you should define controls to ensure these actions do not compromise your products or services safety.

•The actions you specify must be clear.
•Assign specific roles to groups or individuals to ensure product/service availability.
•Create a detailed plan with actions that properly respond to a specific disaster scenario that could affect products and services.
•Consider the cause of the crisis for each scenario and ways to avoid disruption of services or degradation of product quality.
•Think about the tools and resources you will need to deal with each crisis scenario, how long the crisis is likely to last, what impact it might have on customers and what would you do to deal with that impact. What implications will be caused from any service level agreements with customers.


(2)

Review and Approve the Crisis Management Plan

Products and services affected by the crisis should be immediately identified and evaluated for disposal.

The contamination of a food product, for example, would require actions such as stopping production, issuing a standby statement, notifying senior management, suspending the product, contacting regulatory authorities, considering relevant legal issues, and possibly obtaining a line of credit. 

Therefore, if the response to a crisis changes the process flows or procedures, the crisis team must ensure the product remains safe in the new setup.


(3)

Products produced or released after a crisis response should be evaluated for disposition and if their safety cannot be reasonably assured should be isolated and recall procedures initiated as appropriate.

The measures to be envisaged should include:

•Fast reaction and decision-making
•Recall of products if they threaten customer safety
•Communicate the issue with honesty and transparency
•Plan for actions to back up any public statements and promises you will need to make

See Business Scenario 1 – Management case – Tylenol Product Tampering


Develop a Crisis Management Plan (4)

Identify availability of resources and determine back-up sources for critical systems

Determine the resources and tools needed to effectively deal with an incident, how to use them, and by whom. These resources can be information systems, communication tools, supporting processes and sources of critical information.

The organization must ensure that the IT systems and infrastructure it uses are robust, secure and performing optimally. Continuous and successful operation of systems requires monitoring and testing capabilities to reveal issues and vulnerabilities before they affect end users, giving IT teams the ability and time to identify and remediate them.

A disaster recovery (DR) site or the Cloud are some capabilities an organization can apply for the recovery and restoration of its technology infrastructure and operations in case of its primary data center unavailability.

3.1.2. Develop a Crisis Management Plan (4)

Define Key Performance Indicators (KPIs) to monitor plan effectiveness

(1)

What a manager can do, in trying to change or avoid a crisis, is to understand how to approach it and design in such a way that he can handle it. This is possible by considering KPIs, also known as key performance indicators, that show that the crisis management plan is performing well. Crisis management metrics can help the organization survive an ongoing crisis and any other issue. KPIs for crisis management are usually not just data that simply show the performance of a business – they can also be indicators of solutions that management can take to recover from, for example, a financial crisis.


(2)

Indicatively, some metrics could be:

Threat readiness: This metric is about how your organization is prepared to handle different treats. To measure your threat preparedness, use a scale of 0 to 100, looking at how well prepared you are to handle:

a)Unpredictable and unexpected emergencies. These are potentially very damaging.
b)Events that are known and prepared for.
c)Events that are unknown and unprepared for. An example could be the possibility of the organization losing its primary and backup data centers at the same time.

Infrastructure readiness: Using a scale of 0 to 100, assess how operationally capable your command centers, procurement and technology are? If the last time you checked the infrastructure with the crisis team was a year ago, are you sure it’s still working?

Past performance: This metric is about your team’s performance in past incidents, whether drills or actual events. Some of the areas that could be assessed are the ability to alert and assemble the crisis management team, team understanding of their roles and responsibilities and quick decision making.


3.1.3. Test the Crisis Management Plan

The crisis management plan should be tested to prove that it is operational, either in an actual crisis or through tests and simulation exercises. It is important to review the plan regularly or whenever significant changes occur in the organization.

Choose exercises of different crisis scenarios that can disclose both the organization’s strengths and weaknesses in preparedness and planning. Ask for attendance and active participation in the exercises of key stakeholders (e.g., key service providers) or external consultants.

Staff participating in the test scenarios are given the opportunity to learn about the Crisis Management Plan, response structure and actions and enable them to be more confident when a crisis arises.

Therefore, the main objectives of the CMP test are:
•Staff training and awareness – CMT members understand their roles and responsibilities
•Make sure the plan is functional and includes all necessary actions.
•After completing each exercise, analyze the results, what went well and what didn’t, so as you can update the Plan accordingly.


Most common exercise types for the crisis management plan are:

Communication/Alert Exercises
o Participants are the CMT members and additional support staff.
o The purpose is to proactively train your team and test communication channels, the effectiveness of the procedures and of the exchange of alert messages and to check the alternate communications.


Tabletop Exercises

o Participants include the CMT members, additional crisis team members and support staff.
o You may invite observers (crisis management experts, police, fire department, etc.)
o The aim of the tabletop exercise is to train and improve functioning of the crisis team, to improve the crisis management plan and strengthen the organization’s resilience to crisis.

Exercises should be done at least annually and additionally after organizational changes or changes of personnel.
After the completion of each exercise, the departments participating should prepare a post-exercise report, including proposed improvements and changes, and submit it to Management.

How to prepare a tabletop exercise

1.Think of a crisis scenario that your company might expect to face. Include an outage of one or more activities, a security issue, or even a public relations issue.
2.Make your crisis management plan available to everyone in a timely manner, so they are aware of the policies and procedures and ask any questions they may have.
3.Gather all participants in a room and spend a few hours on the simulation.
4.Use a facilitator to introduce the scenario and guide the discussion
5.Ask participants to make decisions and find solutions
6.Continue the exercise until all issues are resolved.
7.Log any questions and problems, identify any gaps in the crisis plan and plan any remedial actions required.

During the tabletop exercise, the crisis management team should consider:

•Expectations of the team and all other employees in the event of a crisis
•Available resources to deal with the crisis
•Available options for internal and external communication
•How customers will be affected and how you will manage them on a case-by-case basis
•Company’s data and assets safety

3.1.4. Monitor threats and review the Crisis Management Plan

Maintain your Crisis Management Plan Current!

A Crisis Management Plan is a dynamic document and should be constantly updated with changes occurring in business, employees and threats’ scenarios.

The CMP must be reviewed on a regular basis to confirm its effectiveness in the event of a real crisis. The CMP (as well as any emergency or contingency plans) should be assessed and adapted after:

·Organizational changes,
·Introduction of new processes, or technologies, new sites, new products and services
·Integration of new personnel, change of responsibilities, etc.
·Lessons learned during actual crisis situations (even by others) or exercises
·New evolving threats

The updated plan requires to be communicated to all stakeholders and team members, approved and be tested and exercised as appropriate.


Summary Takeaways

Crisis management is the employment of tactics and strategies developed to help an organization cope with a sudden disturbing event that threatens to harm the organization or its stakeholders.

A crisis management plan (CMP) describes how to deal with a critical situation that would negatively affect an organization’s profitability, customers, reputation or ability to operate.

A comprehensive process to create a CMP includes the following steps:
– Assess company threats and take actions to reduce identified risks
– Write the plan considering specific response action plans
– Test the Plan
– Revise and Update your Plan regularly

Check your understanding

Think about each of the following questions. If you are not sure of the answer, check what you have read to find the information you need before going on to the next question.

1. Why the development of a crisis management plan is important?

2. What are the steps in developing and maintaining the CMP?

3. What are the objectives of testing the CMP?

“You cannot ignore a crisis, but you can be better prepared to respond.”