Note: This article is the cover story in the Feb/March issue of Security Technology Executive magazine.
As of the preparation of this article, numerous ongoing crises have had a global impact. There is a war in Ukraine. China is feeling the effects of COVID. The U.S. Federal Aviation Administration grounded all flights nationally for several hours and other global issues such as food insecurity and climate change.
Crises involving multinational firms and people worldwide are found in the media daily. Over the past several years, many of us have personally experienced the trickle-down effects of the global crisis, including inflation, lack of goods on shelves, and minimized services.
For example, the microchip shortage negatively impacted many aspects of daily life. Due to the chip shortage, automobiles, computers, cell phones, microwaves, refrigerators, and laundry machines were in short supply. According to several sources, in 2021, supply chain declines in chip manufacturing had a $240 billion impact on the U.S. economy alone. The bad news is that this loss was, for the most part, preventable. The primary reason for the loss in the United States was domestic chip manufacturing capability.
Many organizations have chosen to outsource their chip needs to offshore locations due to the cost of manufacturing. With Covid, the supply chain became unstable as most of the manufacturing had been outsourced to China. The result was a supply chain collapse, and U.S. domestic manufacturing stopped.
Despite ISO Standards, National Standards, and many other public documents, only some organizations possess a level of preparedness that allows them to respond efficiently and effectively in the face of uncertainty and disaster.
The impacts of crisis and disaster are significant. There are many different impacts, but most fall into four categories: people, finances, equipment, and reputation. The gravity of each measure of impact changes depending on the firm. For example, a firm that earns over a billion dollars a year may not be concerned with a five-million-dollar impact. Still, that loss would be devastating to a company with annual revenue of ten million dollars.
In post-event analysis, it is well-known that uncoordinated and reactionary responses to crises reveal a lack of foresight and planning. So why do organizations fail to prepare for a crisis?
Michael D. Watkins and Max H. Bazerman of the Harvard Business School opine that an organization's inability to prepare for crises can be traced to psychological, organizational, and political barriers. Predictable Surprises: The Disasters You Should Have Seen Coming (hbr.org)
The disturbing fact is that the impact of a global crisis can be mitigated or minimized through the practice of Organizational Resilience.
Making the Business Case for Organizational Resilience
All organizations face a certain amount of uncertainty and risk. To assure operations' sustainability and maintain resilience, competitiveness, and performance, organizations must have a system to manage their risks. The challenge is determining how much risk and uncertainty is acceptable and how to cost-effectively manage the risk and uncertainty while meeting the organization's strategic and operational objectives. Given the finite resources of organizations, it is imperative that they have business-friendly tools to address any array of threats, hazards, and risks they may face.
To effectively manage risk, organizations must develop balanced strategies to address the minimization of the likelihood, consequences, and impacts of disruptive events adaptively, proactively, and reactively.
Through the practice of organizational resilience, organizations now have a means to apply a systems approach to managing risk. This approach includes policies, organizational structure, responsibilities, planning activities, practices, procedures, and processes. It allows an organization to create and manage its process and activities to meet business objectives. By using an integrated approach, organizations can leverage the perspectives, knowledge, and capabilities of divisions and individuals within an organization.
This approach results in a management system that is needs-focused and goals driven while maintaining a people orientation that is leadership driven. Although led by the most senior executives, the process involves people at all levels and promotes cultural change. It also emphasizes a process approach and provides a systematic approach to management, thereby supplying a factual basis for decision-making. By fostering continual improvement, this system results in a clear business advantage.
Business Impact Analysis and Business Continuity
As with so many other facets of life, the first step to solving problems is to identify the problem. When it comes to crisis management, we accomplish this first step with a Business Impact Analysis BIA. The risk, threat, and vulnerability assessment helps to inform the BIA.
The U.S. Department of Homeland Security Business Impact Analysis | Ready.gov is an excellent resource for conducting a Business Impact Analysis. There is no need to reinvent the wheel.
A business impact analysis (BIA) predicts the consequences of disruption of a business function and process and gathers information needed to develop recovery strategies. Potential loss scenarios should be identified during a risk assessment. Operations may also be interrupted by the failure of a supplier of goods or services or delayed deliveries. There are many possible scenarios that should be considered.
Identifying and evaluating the impact of disasters on business provides the basis for investment in recovery strategies as well as investment in prevention and mitigation strategies.
Business Continuity Plan
“A Business Continuity Plan is an ongoing process supported by senior leadership and funded to ensure that the necessary steps are taken to identify the impact of potential losses, maintain viable recovery strategies and plans, and ensure the continuity of operations through personnel training, plan testing, and maintenance.”
According to ASIS International, in its Business Continuity Guideline (ASIS GDL BC 01-2005) we find the following definitions.
"Business Continuity is a comprehensive managed effort to prioritize key business processes, identify significant threats to normal operation, and plan mitigation strategies to ensure an effective and efficient organizational response to the challenges that surface during and after a crisis."
"A Business Continuity Plan is an ongoing process supported by senior management and funded to ensure that the necessary steps are taken to identify the impact of potential losses, maintain viable recovery strategies and plans, and ensure the continuity of operations through personnel training, plan testing, and maintenance."
A Business Continuity Plan contains the following components.
- Document Control
- Risk Assessment of Impact Analysis
- Invocation Process
- Incident Management Team
- Key Roles and Responsibilities
- Communications Planning
- Disaster Recovery of Information Technology Systems and Information Backup
- Human Resource Considerations for Staff Welfare and Regulations
- Alternative Locations
- Inbound and outbound supply chain
- Activation Procedures
Federal Emergency Management Administration (FEMA) Business Continuity Plan Template https://www.fema.gov/sites/default/files/2020-10/non-federal-continuity-plan-template_083118.pdf
Training, Testing, and Evaluation
Why exercise? Exercises are a low-cost tool that allows key stakeholders involved in the planning and implementation of a crisis management plan, to test the plan through a facilitated scenario-based discussion and to identify gaps. The gaps can then be closed, and the plan improved.
Timely resolution of a crisis is money saved. The longer an organization stays in “crisis mode,” the more expensive the event becomes. The financial impacts become exponential between the seventh and tenth day of an event. Rapidly resolving a crisis and returning to normal depends on good planning and great training.
A plan is only as good as the training that has been accomplished. It is a known fact that in an emergency, a person will always default to their lowest level of training. In a crisis, everyone has a role to play. Some are leadership roles, and others are individual roles. Knowing your role significantly impacts global organizations where geographic diversity may require a varying response.
We can only expect our leaders, leadership teams, and individuals to respond appropriately and confidently in a crisis if they have been properly trained and exercised in the plan.
Types of exercises vary in complexity and intensity from discussion-based activities (including seminars, workshops, tabletop exercises, and games) to operations-based activities (such as drills and functional full-scale exercises). Exercises should be selected and developed in conjunction with the training and exercise needs of the participating individuals and entities.
In exercises, like an actual event, you can observe the exercise critically. Having an evaluation group will permit you to identify areas of competency as well as areas for improvement.
The below steps chart a path to a successful exercise.
1. Strategy planning.
a. what strategic goals and objectives do we hope to achieve, and to what level of competency?
2. Design and development.
a. exercises, like the response to actual crisis events, require much planning. A poorly planned exercise can cause declining support for future events.
a. A well-designed and well-managed exercise has multiple layers to exercise all the different facets of a crisis. An exercise design team that is engaged at all levels ensures the exercise is a meaningful experience. Remember, what we practice is how we will respond.
a. Critical evaluation of all exercise aspects will identify many areas for improvement. Part of success is learning from failure. It is better to fail in an exercise than during a crisis event.
5. Improvement planning
a. Immediately following an exercise, it is essential to take the lessons learned and immediately incorporate them into readjusting the plan.
During the course of the exercise, gaps will be identified between the current planning and the desired end state. Identifying problems, determining the gap, and establishing the path forward to resolution are the final outcome of an exercise.
Crisis Communications and Social Media
A small team of senior executives should supported be identified to serve on a crisis communications team. Participants usually include the CEO, legal counsel and an in-house or contract public relations/public affairs person. The size of the team is determined by the size of the company, the size of the crisis, and the platforms that are utilized for communication, including television, radio, web, and social media.
Using social media to communicate with stakeholders during a global crisis is highly effective due to its speed, reach and direct access by your audience.
For global companies in crisis, information is at a premium. Depending on the event, there may be a distributed population, interrupted communication ability, and many rumors. Your social media audience will rapidly increase from your impacted employees, including family members and global citizens keeping their eyes on the crisis to see how it unfolds and how it is being managed.
It is a well-known fact that during any crisis, communication is necessary. If you are not providing information about the incident, the media will seek out information that may not be the message you wish to communicate. I recall an incident recently where a global firm had an active shooter incident on its campus. They did not provide any details, and the media started directing questions to the landscaper working at the building.
Early and regular communication sets the tone for the duration of the crisis. Be as honest as possible and explain who is involved and what is being done to fix the situation. Be sure to correct misinformation promptly when it is identified.
Now for the tough question. For this answer, you need to consider your organization in its entirety and within the context of global crisis management. How mature are you in your ability to respond to and manage a global crisis?
Indicators, ad hoc, undocumented, unpredictable response
Level 2- Reactive
Indicators, fight fires as they occur, minimal capability for event management, no problem management processes, no measurements in place.
Level 3- Proactive
Indicators, measured process, analysis of potential events, predict potential problems, mature management of events.
Level 4- Highly Functional
Indicators, potential crisis, and their responses are identified and defined, the organization can competently manage adverse events with minimal impact, and there is a process in place for continuous improvement.
Level 5 Value
Indicators, the strengths developed in crisis management positively impact other organizational activities, collaboration improves between business units, real-time situational awareness exists, and crisis management and organizational resiliency are part of the strategic business plan.
Wrapping Up with Organizational Resiliency
Resilience is an organization’s ability to adapt to changes caused by disruptive events quickly, efficiently, and effectively by implementing adaptive, proactive, and reactive strategies.
Resilient organizations demonstrate the ability to adapt and respond to changes to enhance their survivability and sustainability. They can minimize or eliminate the impacts of an event and return to normal performance levels in an expedited fashion after a disruption.
Planning and implementing an organizational resilience program has residual benefits in better communications and a greater understanding of the enterprise strategy, goals, and objectives. Additionally, when an unexpected adverse event occurs, the planning that was accomplished for other events will permit the organization to recover more rapidly than it could without prior planning.
Nations, businesses, and people depend on your products and services. Creating trust and reliability in your organization has numerous benefits; you will outperform your competitors, and your employees will know you care as they stay employed despite adversity.
Achieving competency in global crisis management requires firm commitment by Senior Management. It is not something that is turned on or off. It is a journey. Take the first step and keep moving towards your goal. You will be better tomorrow than you are today.