One of the general guidelines in crisis management plan development is to focus on the process, not the specifics. This advice is generally well-founded, in that the key is to provide a framework where key decision makers can guide their organization through the crisis event. This approach rests on several assumptions. First, it is assumed that the crisis management team, given an effective response structure, can effectively use their own experience as well as other internal and external resources to resolve the crisis, regardless of the initiating event. Secondly, it is assumed that it would not be possible to write a crisis management plan for every initiating event and subsequent series of crisis-related events.
However, it seems that we have witnessed several incidents in the last decade that should challenge us as crisis management planners to substantially address high-consequence events, even as their likelihood parameters approach the lower limits. Events such as 9/11, Hurricane Katrina and the oil spill in the Gulf Coast remind us that low-probability, high-consequence events do occur - sometimes even against the odds.
The ASIS International guideline on business continuity outlines four steps for business continuity and crisis management plan development:
- Readiness: Activities include risk assessment, business impact analysis and strategic plan development.
- Prevention: Activities include development of mitigation strategies, as well as approaches to avoidance, deterrence and detection.
- Response: Activities include crisis management team activation and plan execution.
- Recovery/Resumption: Activities involve damage assessment, resumption of critical processes and the transition to normal operations.
It is the risk assessment activity of the Readiness portion of this model that drives all of the downstream planning activities - especially as it relates to impact analysis and mitigation strategies. It is also this portion of the model that needs elevated effort as enhanced attention is drawn to high-consequence, low-probability (HCLP) events.
In many industries, the HCLP events are generally at the edge of the organization's operational framework. This makes it difficult for crisis management planners to address this class of events for a variety of reasons:
1. New Processes and Technology: New technologies and processes often represent new sets of operating parameters and conditions with which operational personnel are not entirely familiar. Operating experience across the complete envelope of operational parameters is sometimes necessary to definitively characterize and understand system or component response characteristics. This presents the potential for failure modes and consequences that are not entirely understood or expected.
2. Corporate Organization: In large or highly compartmentalized organizations, the contingency planners may not be aware of all of the risk sources within the organization's activities. Even if planners are well-apprised of the organization's activities, the necessary communication links to the operating units may not be sufficiently robust.
3. Historical Precedent: Most risk assessments are based on an examination of historical incidents. Crisis management planning, based on the results of these risk analyses, is then directed toward future incidents of the same class and magnitude. While this approach has served the crisis planning community well, it must be recognized that within the last decade incidents exceeding historic proportions have occurred. This should temper the reliance on historical data.
4. Operational Failures: Most designed processes proceed smoothly as long as they are operated within the defined parameters. However, as shown in the Union Carbide Bhopal incident, human error or negligence can result in cascading failures leading to catastrophic consequences.
Pushing the envelope of normal practice to more specifically address HCLP events will take the cooperation and support of a larger portion of the organization and will likely require more capital resources. Here are some suggestions on how to proceed:
1. Initiate Discussion: Initiate discussion within the organization on the differences between traditional crisis management plan development and how the landmark HCLP events noted above should affect that approach. The goal of any attempt at crisis management planning is to limit consequences as much as possible.
2. Identify Potential HCLP Events: While we have in some ways been cautioned to be reasonable and not think worst-case, this is the time to break out of that box. What new technologies or processes are we employing in our production activities? What strategic partnerships have formed with other organizations that could result in direct (financial, damaged products, increased labor costs) and/or indirect (loss of reputation, negative media coverage, poor morale, increased recruiting and labor costs) exposure? What events would threaten and maybe guarantee the demise of the organization?
3. Categorize the Identified HCLP Events: For planning purposes, it is useful to categorize the HCLP events as new sources of risk or existing - and presumed manageable - risks that become HCLP events. The approach for each is different. For new sources, it is imperative that subject matter experts - either within or external to the organization - be consulted to characterize the risk, failure modes, and consequences as well as appropriate and effective mitigating measures. For existing risk sources, it is essential to understand the factors that could result in what is considered manageable becoming unmanageable. Is the risk properly understood and characterized? Are the existing mitigating factors sufficient to address the emerging crisis? What mitigation activities would be necessary to halt the progression? Are those actions feasible within fiscal, environmental, legal and societal constraints? Are the proper tools available to the crisis management team to recognize the transition from manageable to a truly unmanageable crisis? The answers to these questions will come from those that are directly with the design and operations of those portions of the organization that own the risk sources.
4. Push for Recognition or Resolution: In many cases, there is no definitive approach to prevent HCLP events, especially those that arise from natural sources like earthquakes or tornadoes. In that case, crisis management planning efforts need to recognize and document the existence of the risk, the potential consequences of the risk, and a resultant emphasis on consequence mitigation and recovery. HCLP events arising from terrorism are similar to those arising from natural events in that prevention does not solely rest with the organization. However, HCLP events that arise from internal activities are prime targets for extensive analysis. What contributes to this risk source? What factors initiate the crisis from this source? What historical data exists on this source and its performance? What operational factors contribute to mitigating the risk from this source? What system or process design changes can be considered to reduce the risk from this source?
5. Emphasize Recognition, Mitigation and Recovery: With the ultimate goal of preserving life, planning activities also need to proceed with a view toward early recognition of a major event, implementing whatever measures are available to mitigate the progression of the event, and push the organization toward crisis resolution and recovery.
Current events should push the crisis planning community to place an increased emphasis on planning for HCLP events. In many cases, this can be efficiently addressed as an extension and expansion of planning for what are considered manageable events. However, in many cases, the organization and internal planners need to recognize that certain events could result in catastrophic consequences. Comprehensive impact analysis, rapid recognition and efficient deployment of available mitigation measures still remain the best crisis management tools. In the case of HCLP events, they will need to be deployed more skillfully than ever.
Randall R. Nason, PE, CPP, is a corporate vice president and manager of the Security Consulting Group at C.H. Guernsey & Co. His experience spans a broad spectrum of the security profession including risk assessment and strategic security master plan development through complete system design, construction management, and design-led build projects. He has also recently designed and conducted full scale emergency response exercises for a federal agency. He is currently developing electronic security system related technical manuals, mass notification specifications, and training courses for the U.S. Army.