May 18, 2007

Crisis Action Planning, Unlike Chicken Soup – Does Not Get Better With Age

Bad things happen to good people and unless they are prepared to deal with them bad things turn into disasters or worse. Like most aspects of running an organization, disaster planning is a mesh of people, process and technology. Most disruptions to business operations are unplanned consequently knowing what to do instinctively before something bad happens can mean the difference between success and failure and sometimes even life and death.

This week I had the opportunity to be an observer as a client went through a ‘table top’ Crisis Management Plan exercise. Key representatives came from the Executive team, finance, corporate treasury, legal, corporate communications and HR. They were run through an expanding scenario that required them to state their priorities and indicate what they would need by way of information from the various teams in the room. Issues as to which organization would be the lead for various aspects of the “crisis” were also hashed out.

As the exercise unfolded it was clear that Corporate Security and HR had worked on many of these issues before, and that there was a general spirit of teamwork and cooperation. It wasn’t until after the exercise was over that I learned that IT wasn’t involved and that the Information Security functions were spread out over several “Managers”. There was good news and bad news here. The good news was that the overall team functioned well and could work on the few areas where they needed improvement. The bad news was that the focus had shifted so far from technology that a second level exercise, one with real players and data, would very likely not be so smooth.

Disaster preparedness for organizations takes many forms. A good place to start is identifying the critical people and processes that need to continue to function regardless of interruptions. Then determine the tools they will need under a variety of circumstances to execute those functions and develop the plans and logistics needed to achieve these ends.

A couple of key things that may often get missed are: 1. 7x24 hour crisis management and engagement of law enforcement. In the case of 7 x 24 operations it is important to realize that a special team needs to be identified and that team removed from their day to day duties to focus on crisis management and actions.

The issue of engaging law enforcement is a bit more complex. Organizations recognize that they may need to involve law enforcement quickly in certain cases such as work place violence; however, in the case of theft of intellectual property, improper employee behavior such as ‘legal’ pornography, industry generally is in no rush to engage law enforcement. In any event, organizations need to determine their philosophy ahead of time. They need to identify: incidents that will immediately involve law enforcement; which law enforcement agency should be notified and the circumstances to do so; individuals who are the principal points of contact, etc. These decisions need to be made prior to the stress of incidents.

It should also be borne in mind that organizations do not exist in a vacuum. Natural disasters and selected manmade ones will likely involve the geographic area surrounding the organization and affect employee welfare and freedom of movement. It is prudent to work with local government and key non government organizations (NGO) such as the Red Cross to understand the total setting. Communal planning for disasters is a continuous process for many organizations - it should be for yours as well.

No comments: