To survive the “unexpected,” businesses today, both in the private and public sectors, must be prepared for unusual business conditions, whether they are caused by manmade, natural, environmental or accidental circumstances. And it’s essential that businesses develop crisis plans and regularly test them.
Crisis planning can be broken down into three main areas: emergency management, business continuity and resilience plans.
Most businesses look at one or maybe two of these areas, but a good plan needs to encompass all aspects. The flaw many companies often encounter is that they develop crisis plans to show that they will work – but they are seldom tested for failure. But failure is where we learn how things really work – or not. What chain of unforeseen events might be set off by an incident when best-laid plans are set aside, and improvisation is key.
So why are these three areas so important?
In most “emergencies,” the first thing to take into consideration is how you assess the situation in preparation for an event – for example, a natural disaster like a hurricane or a scheduled occurrence like the Super Bowl. Questions to ask: what is my team, who does it include? How do I ensure I have the qualified resources as well as the assurance that in an emergency situation, they will be able to be first responders? Is any individual critical in the process? How do you get people where they need to be – or, do you have access remotely? What is the impact if you pull a few key people out of the process or facilities?
It’s admirable for companies to talk about 99.999 percent as an effective measure for up-time around networks and systems, but rarely does this get discussed at the application level or even further down the stack, at the customer level. How do you make sure your business is operational and functioning as normal?
This vigilance should be extended to your business partners, suppliers, transporters, maintenance, etc. The aftermath of the tsunami and Fukushima nuclear power incident in Japan has shown us how important this can be, given the disruption we have seen within the technology industry since then.
Then there is resilience. How much redundancy do you need in your business, either in the “business as usual” process, or as it relates to business as “unusual.”
In reality, the three major areas noted here all merge together in a solid risk management process and an accompanying assessment of the organization’s risk appetite. Although the term risk appetite is more often associated with security, a risk appetite should be applied generally to how and what you view as critical within your business. Where is your lifeline and what aspects of the organization does it encompass?
Here is what I consider the top ten tips for what you should cover in crafting your organization’s risk management strategy:
1) What are the requirements of the business as it relates to governance and compliance?
2) Who is your end customer and how do you make money? The answer to this question can then be interpreted as your company’s “lifeline” – you must be able to service your end-customer. In the case of public sector organizations, you will be defining your end-users and stakeholders and the critical services you are expected to maintain.
3) What key processes, partners, divisions have to be up and running to ensure you can make your end-product or deliver your service to users?
4) What systems are critical? Which ones already have resilience built in? This could also be applied to partners and other areas.
5) Know where your “single points of failure” (SPOF) are and minimize these, even in your business “as usual” scenario.
6) Who are the key individuals, teams, groups within the business? It’s essential you bring them into the planning process.
7) Start with a good foundation. Don’t try to swallow the elephant but take the bites out of it and measure the program against results.
8) Having a solid governance tool as a way to manage is important. It helps in knowledge-sharing and to ensure the intellectual capital is where you can find it and not stuck in someone’s head. It also allows you to measure progress against key business objectives, which is always good when money is being spent against objectives.
9) Integrate your change management processes to include this as part of the standard implementation.
10) Test regularly and test to get to failure! The only time you have a chance for a “mulligan” is when you are testing. When the real incident happens you need to know you have the right people, ingenuity and familiarity with what to do when something goes wrong.
So When The “Unexpected” Actually Happens . . .
The hours – and actions you take – immediately following an incident are particularly critical. What you do then can make a big difference – not just to the costs you incur and the business you may lose – but to the possible public relations fall out. So again, it’s essential to have a crisis management plan in place – one that makes it clear what everyone should do and, in particular, how communications with customers, the media and other stakeholders are to be handled.
Experience suggests honesty is the best policy. Attempts to minimize problems and downplay their impact have a habit of making things worse.
Your crisis management plan must follow a few simple but important principles.
First, you need to “Confirm” the nature, scale and impact of the incident if your response is going to be appropriate. Is the incident real? Where is it, and who is affected by it?
Second, prompt and effective early intervention can “Contain” the incident and prevent escalation of severity and resultant impacts. This intervention proves most effective in those organizations where regular and realistic testing of the plan has taken place.
Finally, what and how you “Communicate” is vital. In the early stages of the crisis, the demand for good quality information is at its highest – exactly at the time when the quality of that information is at its lowest. This position is reversed as the timeline of the crisis progresses.
The effectiveness of the communication strategy will very much depend on how successfully you have managed to confirm and contain the impact of the incident and, coming full circle, how effectively you built and tested your crisis plan in the first place.