In spite of our best efforts to strategically apply every piece of technology available and all best practices, eventually every organization will experience a crisis of some magnitude. At that point, regardless of the initiating event, the most important goal is to recover the business as quickly and as cost effectively as possible.
We in the security industry know all about crisis avoidance and prevention. After all, the primary thrust of our jobs is to implement a program that will prevent or deter unacceptable behavior directed at our organization. And it is within this context that security and crisis management become adjacent, and in some circumstances, overlapping functions.
The two functions are adjacent in that certain classes of threats must pass through the security program to cause a crisis impacting the organization. For example, a disgruntled former employee must bypass technological, procedural and administrative security controls to regain access to a corporate facility and take a hostage. Crisis management takes over after the threat “defeats” the security program. However, these functions overlap as well, since security would play an ongoing role in resolving the crisis.
The strategic response to a potential organization-threatening crisis is the crisis management or emergency operations plan. In broad terms, the strategy is to prevent or avoid the initiating event, mitigate the consequences of the event should it occur, and recover from the event as quickly as possible.
The Goals of Crisis Management
1) Define the crisis in terms that are applicable and understandable to the organization. Different organizations face different types of crises depending on their focus, location, ownership structure, position in their industry, threats faced, and level of preparation. Carefully defining in real terms the family of crises that could threaten the very existence of an organization helps to elevate the importance and practicality of the plan development effort.
2) Establish an organization to deal with the crisis immediately before and during the crisis, as well as during the recovery stage. These individuals need to be a special breed that can make strategic decisions in the midst of what may be chaotic circumstances and with much less than adequate information.
3) Establish procedures for quickly accessing internal and external resources as needed. During times of crisis, normal procurement channels will be unacceptable. Those involved in crisis management need access to the necessary recovery tools immediately. Additionally, the normal chain of command may be unworkable. Key individuals may be unavailable; communication paths may be unreliable and slow; if the crisis is brought on by a natural disaster, available supplies may be dwindling due to demand by all organizations in a particular region.
4) Establish benchmarks to signal when the organization is ready to move out of emergency operations and back to some level of normalcy. The emergency operations mode is not an efficient business model. Established metrics can help signal the crisis management team to begin the transition back to normal operations.
Planning Isn't Just Long-Term
Crisis management is all about planning. This planning is normally subdivided into five categories: long-range planning (the event is not in sight), near-term planning (the event, such as a hurricane, is expected in two to three days), event planning (the crisis is ongoing), response planning (short-term response actions after the event has occurred), and recovery (late response actions and transition to normal operations). This list clearly recognizes that there is much an organization can do to prepare for a crisis.