One of the general guidelines in crisis management plan development is to focus on the process, not the specifics. This advice is generally well-founded, in that the key is to provide a framework where key decision makers can guide their organization through the crisis event. This approach rests on several assumptions. First, it is assumed that the crisis management team, given an effective response structure, can effectively use their own experience as well as other internal and external resources to resolve the crisis, regardless of the initiating event. Secondly, it is assumed that it would not be possible to write a crisis management plan for every initiating event and subsequent series of crisis-related events.
However, it seems that we have witnessed several incidents in the last decade that should challenge us as crisis management planners to substantially address high-consequence events, even as their likelihood parameters approach the lower limits. Events such as 9/11, Hurricane Katrina and the oil spill in the Gulf Coast remind us that low-probability, high-consequence events do occur - sometimes even against the odds.
The ASIS International guideline on business continuity outlines four steps for business continuity and crisis management plan development:
- Readiness: Activities include risk assessment, business impact analysis and strategic plan development.
- Prevention: Activities include development of mitigation strategies, as well as approaches to avoidance, deterrence and detection.
- Response: Activities include crisis management team activation and plan execution.
- Recovery/Resumption: Activities involve damage assessment, resumption of critical processes and the transition to normal operations.
It is the risk assessment activity of the Readiness portion of this model that drives all of the downstream planning activities - especially as it relates to impact analysis and mitigation strategies. It is also this portion of the model that needs elevated effort as enhanced attention is drawn to high-consequence, low-probability (HCLP) events.
In many industries, the HCLP events are generally at the edge of the organization's operational framework. This makes it difficult for crisis management planners to address this class of events for a variety of reasons:
1. New Processes and Technology: New technologies and processes often represent new sets of operating parameters and conditions with which operational personnel are not entirely familiar. Operating experience across the complete envelope of operational parameters is sometimes necessary to definitively characterize and understand system or component response characteristics. This presents the potential for failure modes and consequences that are not entirely understood or expected.
2. Corporate Organization: In large or highly compartmentalized organizations, the contingency planners may not be aware of all of the risk sources within the organization's activities. Even if planners are well-apprised of the organization's activities, the necessary communication links to the operating units may not be sufficiently robust.
3. Historical Precedent: Most risk assessments are based on an examination of historical incidents. Crisis management planning, based on the results of these risk analyses, is then directed toward future incidents of the same class and magnitude. While this approach has served the crisis planning community well, it must be recognized that within the last decade incidents exceeding historic proportions have occurred. This should temper the reliance on historical data.
4. Operational Failures: Most designed processes proceed smoothly as long as they are operated within the defined parameters. However, as shown in the Union Carbide Bhopal incident, human error or negligence can result in cascading failures leading to catastrophic consequences.