Crisis Planning
Sunday, November 24, 2013
Crises happen from time to time in all organizations.
So when one happens "on your watch" how will you react?
Will you resolve it in a way that seems graceful and well-considered?
Or will you stumble, and make mistakes which seriously damage your business?
This depends on the quality of the crisis planning that you do.
Crisis planning requires foresight, insight and hindsight. When you plan for a crisis you are, by definition, planning for something that has not yet occurred but might do, and might have a serious impact on your business.
No one wants a crisis to happen, but we must acknowledge the truth: bad things do happen, and the results can be serious or even disastrous.
The need for crisis planning is clear, but because the exact nature and likelihood is unknown, many of us put it off. Don't make that mistake! It's not defeatist or fatalistic, it's simply realistic. If a crisis happens, you'll manage it much more successfully if you've prepared properly in advance!
When we think of business crises, we often think of major disasters such as terrorist attacks, hurricanes, or a pandemic of avian flu. While terrorism and natural disasters definitely need to be anticipated, it's worth remembering that there are many other types of less dramatic business crisis that can cause damage to your organization. These include:
A computer virus or breach of IT security.
Theft of money or fraud by a member of staff.
Staff resignations.
Labor disputes.
Lawsuits from staff, former staff or customers.
Burglary or vandalism.
Fire.
Power cuts.
Transport disruption.
Product recalls.
Many of these arise from within an organization. And it's worth noting that sometimes the risk is predictable, and prevention may be in your control. For example, a contented workforce is unlikely to go on strike; or if you have retail premises, vandalism may be an expected cost of doing business.
Remember, too, that impact of a crisis can go beyond the direct loss of money, sales or long term customers: for example, if the crisis means that your organization no longer meets its regulatory requirements, you could lose your license to do business.
Whether yours is a business in the pursuit of profit, or a public service organization such as a hospital, you have a duty to your stakeholders to get back on track as soon as possible. A crucial part of crisis planning is therefore to plan for business continuity after a crisis. This part of crisis management is often referred to as business continuity planning or business continuity management.
Planning to Manage Crises
There are many approaches to crisis planning and business continuity planning. Most involve the following four stages, in one way or another. These stages are described further below to provide a generic framework for your crisis planning.
Preparation.
Crisis Analysis.
Response Planning.
Recovery Planning.
Stage 1: Preparation
There are two main areas of preparation to think about – information gathering, and definition of roles and responsibilities.
Start by appointing the person who's going to be responsible for the crisis plan. If your organization has several sites, it can be useful to have someone responsible at each site, and also an overall coordinator. If you're the person responsible for crisis planning, make sure that you involve the right people in the process of creating the crisis plan, and that you communicate effectively with those involved. Stakeholder management is a great way to make sure you involve the right people.
Before you start crisis planning, it's important to understand the risks you face, and plan your response.
The risks that affect businesses vary enormously between individual businesses, industry sectors and countries. But your company may have many risks in common with other businesses in your industry or locality, and that means you can learn much from other people's experience. Business associations, local agencies, regulators and governments often share such learning, by providing advice on crisis management and prevention. So it's well worth finding out what's available that's relevant to you before you start your crisis planning.
Assess any crisis plans that are already in place. If your company has faced crises in the past, talk to people who were involved and find out what they learned from them.
Seek advice from organizations and agencies which have an interest in your successful management of crises. Your local or national police may provide advice on physical security and other threats caused by crime. Your insurance company may also be a good place to find help.
Stage 2: Crisis Analysis
Next you need to identify the potential crises that could occur, and get a feel for their risk and potential impact.
Our article on Risk Analysis and Risk Management gives more detail on how to assess risk and, by extension, identify potential crises: crises are risks that have potentially high impact, so they are a sub-set of all the risks your business faces. Even if the likelihood of something happening is low, you should take it into account in crisis planning if it could cause serious damage to your business.
This list of potential threats to your business, similar to the one used in our risk analysis article, is a good check list to use in identifying potential crises. It's also helpful to consider both internal and external threats.
Human – from individuals or organizations, illness, death, etc.
Operational and material – from disruption to supplies, loss of access to essential assets, burglary or vandalism etc.
Reputational – from damage to reputation in the market.
Procedural – from failures of accountability, from fraud etc.
Customer, supplier and employee – threats from obligations to and dependence on these parties.
Financial – from business failure, stock market, interest rates etc.
Technical – from advances in technology, technical failure, computer viruses etc.
Natural – threats from weather, natural disaster, accident, disease, etc.
Political – from changes in tax regimes, public opinion, government policy, etc.
Perhaps using this as a starting point, conduct a brainstorming session with appropriate stakeholders to identify the risks you face. Next, consider and write down the potential consequences of the most serious threats.
Once you have a list of threats and their possible impacts, you can narrow this down to a list of the most significant crises that you should consider. This is best done with the senior stakeholders for crisis management in your organization: by looking at the threats and potential impacts, this group of people will be well placed to determine and agree the scope of your crisis plan.
Stage 3: Response Planning
When you have determined the crises that need to be planned for, and their potential impact, you are ready to consider how you will respond to each. Having a well-thought-through crisis plan in place can be the difference between reacting in a well-considered and proportionate way, and reacting in a haphazard or rash way. With a planned response, your reaction will be purposeful and efficient, the outcome will be better, and there will be much less stress, frustration, and confusion for all involved.
For each crisis, make sure you have gathered all the information you can from relevant parties and organizations to help you plan your response and, later, your recovery (revisit stage 1 above). Also determine who the stakeholders are for this crisis – who will be impacted? Who will be involved in the urgent response? Who holds key data that will be required?
Now consider, for each crisis, the following questions (where appropriate, do this in consultation with key stakeholders):
How will you tell that this crisis is happening?
What procedures need to be activated in the event of a crisis? Be as detailed as you can. Keep asking "If this happens, what do we do?" and develop a system of "If____, then ____" recommendations to be followed in the event of the crisis.
What equipment and resources will you need to implement your crisis procedures? For example, if you need a recovery center, which staff should move to it, and what will they need?
Who communicates what, and to whom, during the crisis situation? Create a system of communication to clarify people's responsibility and how communication will flow. For example, if the crisis puts your office or computer system out of action, how will you communicate alternative arrangements to staff? How will you handle customers and suppliers too? Our article on Communicating in a Crisis helps further on this.
What are the criteria for determining that the crisis is over, and when it is time to move to the recovery stage?
Build up your crisis plan to detail the criteria, procedures, equipment and resources, and communications that will be
needed in the event of each crisis. Once this has been completed and agreed with senior stakeholders, make sure it's communicated to everyone involved.
Stage 4: Recovery Planning
The last stage of Crisis Planning is to determine how to set things back to normal as quickly as possible. This helps you know what to expect during the period immediately following a crisis. Without this part of the plan it is easy to be unrealistic, and assume that "business as usual" will be resumed quickly.
Here are some more questions to help with this part of the planning, for each crisis in your plan:
What will you need to do to recover from each of the impacts of the crisis?
How will you transition from any interim arrangements made during the immediate crisis response?
How will staff, customers and other stakeholder be debriefed?
What other follow-up procedures may be required for staff and other stakeholders? For example, in the event of a major disaster, counseling may be required.
How will you gather feedback about this crisis and incorporate lessons learned into an updated crisis plan?
Key Points
Crisis planning can make the difference between surviving a crisis situation and succumbing to it. As such, it is an important part of proactive and effective management.
In many crisis situations, the stakes are high and the margin for error low. If you don't already have a good crisis plan, consider doing some crisis planning sooner rather than later.
Tags:
Leadership Skills, Skills
So when one happens "on your watch" how will you react?
Will you resolve it in a way that seems graceful and well-considered?
Or will you stumble, and make mistakes which seriously damage your business?
This depends on the quality of the crisis planning that you do.
Crisis planning requires foresight, insight and hindsight. When you plan for a crisis you are, by definition, planning for something that has not yet occurred but might do, and might have a serious impact on your business.
No one wants a crisis to happen, but we must acknowledge the truth: bad things do happen, and the results can be serious or even disastrous.
The need for crisis planning is clear, but because the exact nature and likelihood is unknown, many of us put it off. Don't make that mistake! It's not defeatist or fatalistic, it's simply realistic. If a crisis happens, you'll manage it much more successfully if you've prepared properly in advance!
When we think of business crises, we often think of major disasters such as terrorist attacks, hurricanes, or a pandemic of avian flu. While terrorism and natural disasters definitely need to be anticipated, it's worth remembering that there are many other types of less dramatic business crisis that can cause damage to your organization. These include:
A computer virus or breach of IT security.
Theft of money or fraud by a member of staff.
Staff resignations.
Labor disputes.
Lawsuits from staff, former staff or customers.
Burglary or vandalism.
Fire.
Power cuts.
Transport disruption.
Product recalls.
Many of these arise from within an organization. And it's worth noting that sometimes the risk is predictable, and prevention may be in your control. For example, a contented workforce is unlikely to go on strike; or if you have retail premises, vandalism may be an expected cost of doing business.
Remember, too, that impact of a crisis can go beyond the direct loss of money, sales or long term customers: for example, if the crisis means that your organization no longer meets its regulatory requirements, you could lose your license to do business.
Whether yours is a business in the pursuit of profit, or a public service organization such as a hospital, you have a duty to your stakeholders to get back on track as soon as possible. A crucial part of crisis planning is therefore to plan for business continuity after a crisis. This part of crisis management is often referred to as business continuity planning or business continuity management.
Planning to Manage Crises
There are many approaches to crisis planning and business continuity planning. Most involve the following four stages, in one way or another. These stages are described further below to provide a generic framework for your crisis planning.
Preparation.
Crisis Analysis.
Response Planning.
Recovery Planning.
Stage 1: Preparation
There are two main areas of preparation to think about – information gathering, and definition of roles and responsibilities.
Start by appointing the person who's going to be responsible for the crisis plan. If your organization has several sites, it can be useful to have someone responsible at each site, and also an overall coordinator. If you're the person responsible for crisis planning, make sure that you involve the right people in the process of creating the crisis plan, and that you communicate effectively with those involved. Stakeholder management is a great way to make sure you involve the right people.
Before you start crisis planning, it's important to understand the risks you face, and plan your response.
The risks that affect businesses vary enormously between individual businesses, industry sectors and countries. But your company may have many risks in common with other businesses in your industry or locality, and that means you can learn much from other people's experience. Business associations, local agencies, regulators and governments often share such learning, by providing advice on crisis management and prevention. So it's well worth finding out what's available that's relevant to you before you start your crisis planning.
Assess any crisis plans that are already in place. If your company has faced crises in the past, talk to people who were involved and find out what they learned from them.
Seek advice from organizations and agencies which have an interest in your successful management of crises. Your local or national police may provide advice on physical security and other threats caused by crime. Your insurance company may also be a good place to find help.
Stage 2: Crisis Analysis
Next you need to identify the potential crises that could occur, and get a feel for their risk and potential impact.
Our article on Risk Analysis and Risk Management gives more detail on how to assess risk and, by extension, identify potential crises: crises are risks that have potentially high impact, so they are a sub-set of all the risks your business faces. Even if the likelihood of something happening is low, you should take it into account in crisis planning if it could cause serious damage to your business.
This list of potential threats to your business, similar to the one used in our risk analysis article, is a good check list to use in identifying potential crises. It's also helpful to consider both internal and external threats.
Human – from individuals or organizations, illness, death, etc.
Operational and material – from disruption to supplies, loss of access to essential assets, burglary or vandalism etc.
Reputational – from damage to reputation in the market.
Procedural – from failures of accountability, from fraud etc.
Customer, supplier and employee – threats from obligations to and dependence on these parties.
Financial – from business failure, stock market, interest rates etc.
Technical – from advances in technology, technical failure, computer viruses etc.
Natural – threats from weather, natural disaster, accident, disease, etc.
Political – from changes in tax regimes, public opinion, government policy, etc.
Perhaps using this as a starting point, conduct a brainstorming session with appropriate stakeholders to identify the risks you face. Next, consider and write down the potential consequences of the most serious threats.
Once you have a list of threats and their possible impacts, you can narrow this down to a list of the most significant crises that you should consider. This is best done with the senior stakeholders for crisis management in your organization: by looking at the threats and potential impacts, this group of people will be well placed to determine and agree the scope of your crisis plan.
Stage 3: Response Planning
When you have determined the crises that need to be planned for, and their potential impact, you are ready to consider how you will respond to each. Having a well-thought-through crisis plan in place can be the difference between reacting in a well-considered and proportionate way, and reacting in a haphazard or rash way. With a planned response, your reaction will be purposeful and efficient, the outcome will be better, and there will be much less stress, frustration, and confusion for all involved.
For each crisis, make sure you have gathered all the information you can from relevant parties and organizations to help you plan your response and, later, your recovery (revisit stage 1 above). Also determine who the stakeholders are for this crisis – who will be impacted? Who will be involved in the urgent response? Who holds key data that will be required?
Now consider, for each crisis, the following questions (where appropriate, do this in consultation with key stakeholders):
How will you tell that this crisis is happening?
What procedures need to be activated in the event of a crisis? Be as detailed as you can. Keep asking "If this happens, what do we do?" and develop a system of "If____, then ____" recommendations to be followed in the event of the crisis.
What equipment and resources will you need to implement your crisis procedures? For example, if you need a recovery center, which staff should move to it, and what will they need?
Who communicates what, and to whom, during the crisis situation? Create a system of communication to clarify people's responsibility and how communication will flow. For example, if the crisis puts your office or computer system out of action, how will you communicate alternative arrangements to staff? How will you handle customers and suppliers too? Our article on Communicating in a Crisis helps further on this.
What are the criteria for determining that the crisis is over, and when it is time to move to the recovery stage?
Build up your crisis plan to detail the criteria, procedures, equipment and resources, and communications that will be
needed in the event of each crisis. Once this has been completed and agreed with senior stakeholders, make sure it's communicated to everyone involved.
Stage 4: Recovery Planning
The last stage of Crisis Planning is to determine how to set things back to normal as quickly as possible. This helps you know what to expect during the period immediately following a crisis. Without this part of the plan it is easy to be unrealistic, and assume that "business as usual" will be resumed quickly.
Here are some more questions to help with this part of the planning, for each crisis in your plan:
What will you need to do to recover from each of the impacts of the crisis?
How will you transition from any interim arrangements made during the immediate crisis response?
How will staff, customers and other stakeholder be debriefed?
What other follow-up procedures may be required for staff and other stakeholders? For example, in the event of a major disaster, counseling may be required.
How will you gather feedback about this crisis and incorporate lessons learned into an updated crisis plan?
Key Points
Crisis planning can make the difference between surviving a crisis situation and succumbing to it. As such, it is an important part of proactive and effective management.
In many crisis situations, the stakes are high and the margin for error low. If you don't already have a good crisis plan, consider doing some crisis planning sooner rather than later.
