Proactive Crisis Management in 10 Steps

A crisis can impact your business at any time. Crisis is defined as “an unstable or crucial time or state of affairs in which a decisive change is impending… with the distinct possibility of a highly undesirable outcome.” Although predicting a true crisis is nearly impossible, you can mitigate the consequences of one with a proactive, forward-looking crisis management plan.

According to the Institute for Public Relations,

“Crisis management is a process designed to prevent or lessen the damage a crisis can inflict on an organization and its stakeholders. As a process, crisis management is not just one thing. Crisis management can be divided into three phases: (1) pre-crisis, (2) crisis response, and (3) post-crisis. The pre-crisis phase is concerned with prevention and preparation. The crisis response phase is when management must actually respond to a crisis. The post-crisis phase looks for ways to better prepare for the next crisis and fulfills commitments made during the crisis phase including follow-up information.”

This article focuses on the proactive planning stage pre-crisis. Consider these 10 steps as a checklist in your business continuity management plan, which includes planning for:

• Crisis communications;

• Crisis management; and

• Disaster recovery for information systems.

These three discrete plans that comprise your overall crisis management strategy are often developed in parallel, rather than sequentially due to interdependencies.

(1) Establish the Crisis Leadership Team (CLT): Identify and Engage Key, Cross-Functional Stakeholders

It is critical to ensure that each function or department within your organization is represented by either employees or contractors in your Crisis Leadership Team (CLT). These functions may include: human resources, marketing and communications, operations (supply chain management), information technology, quality control and quality affairs, internal audit, research and development, sales, customer service, etc. If you exclude a functional representative in your CLT, you risk overlooking key business processes necessary in developing organizational resilience in the event of a crisis.

(2) Perform a Business Impact Assessment (BIA)

A business impact assessment (BIA) identifies various scenarios for business interruption after a disaster strikes. Performing this risk assessment requires you to analyze and define your existing business process flows - and focus on the weak points and process dependencies that exist within your organization. Crises can cause business interruptions in product or service delivery, for example. The impact of a crisis often incurs a significant financial loss.

Develop a BIA questionnaire and expand its distribution beyond the CLT team to survey the key personnel in critical functions within your organization. This will aid you in mapping out your existing business processes in greater detail and identify your organization’s weak points (dependencies). Recommended areas to consider in your BIA questionnaire to quantify risk are shown below:

(3) Prioritize Risks According to the Degree of Business Impact

After identifying the potential disruptions to business operations and quantifying the financial impact, you should begin to prioritize the crisis situations by the degree of severity (financial loss). The length of potential downtime associated with each risk will lead to establishing realistic recovery time objectives (RTOs) in your business continuity plan. Your formula to calculate financial loss should look something like this:

# of Days Disrupted (RTO) x Incremental Expense Per Day =

Total Estimated Financial Impact Risk

Once the CLT has agreed on the priorities, the team should then proceed to develop a risk mitigation plan consisting of adapted business process flows to ensure operational resilience when a disaster strikes.

(4) Establish a Formal Delegation of Authority (DOA)

Part of the risk mitigation plan must identify replacements or successors for key positions within the organization. For example, if the CEO becomes unavailable during a crisis, who will become interim CEO? What happens if a regional headquarters becomes impacted by a crisis? Decisions requiring executive authority will need to be made, and a formal and thorough Delegation of Authority (DOA) will validate these transitions of power and provide the organization protection in the event of an audit.

The BIA will help you identify the key decision-making specific roles impacted by a crisis and determine the appropriate successors.

(5) Develop a Disaster Recovery Plan

Developed in conjunction with the business continuity plan, the disaster recovery plan (DRP) ensures redundancy in information technology systems and applications in the event of a failure. According to Ready.gov, “technology recovery strategies should be developed to restore hardware, applications and data in time to meet the needs of the business recovery.”

“Businesses large and small create and manage large volumes of electronic information or data… Some data is vital to the survival and continued operation of the business. The impact of data loss or corruption from hardware failure, human error, hacking or malware could be significant. A plan for data backup and restoration of electronic information is essential.”

Depending on the size and complexity of your organization, the DRP could be the most time consuming component of your crisis management planning process. Think about it: If you lost access to your data, does that impact your ability to communicate to your key stakeholders? Deliver or receive product? Invoice customers?

(6) Develop a Crisis Communications Plan

Form a Crisis Communications Team (CCT), identify spokespeople, and document the plan for each of the prioritized risk scenarios identified in the BIA. Communicate information as you obtain it, but keep in mind that not all information will go to each audience. Consider each discrete audience you have: employees, customers, vendors, investors and the general public.

1. Internal Communications

   For example, the marketing communications CLT lead should work with human resources on the internal employee communications process planning, as well as in the development of any pre-written content (i.e., an employee crisis memo template, announcements of a new interim corporate structure based on the DOA, etc.).

2. External Communications

   Swiftly communicate your crisis management plans and temporary procedures to your customers and vendors to reassure them that you are preventing (or at least mitigating) product or service interruptions. Business investors should be aware of the existing crisis management plan, so communications with this audience should serve as a regular status brief.

   Finally, have press releases drafted with blanks ready to be filled and sent to your media contact list to inform the public. You may also want to develop a specific, regularly updated, media list of contacts as part of your crisis communications plan.

(7) Develop a Business Continuity Plan (BCP)

A business continuity plan (BCP), designed to account for any disaster scenario, will include:

• Documented adapted business process flows by role or function;

• Established recovery time objectives (RTOs) for each scenario and business process impacted in a crisis;

• The official delegation of authority (DOA);

• Identified roles or positions with sufficient information technology systems access to perform the required business processes and/or critical customer or financial data in times of crisis;

• The crisis communications and disaster recovery plans; and

• Documented compliance or regulatory-related procedures based on the type of crisis (i.e., product quality issues, supply chain interruptions, natural disasters, etc.).

Finally, remember the KISS rule: make the plan easy to read, to the point, and implementable.

(8) Test the Plan Until the CLT is Satisfied with Plan Robustness

Key, cross-functional stakeholders (or business process owners) should sign-off on the successful completion of each adapted business process flow contained in the BCP and indicate whether the RTOs are realistic. Once the CLT has collected the feedback from practice runs executing the BCP, they must sign-off on the document.

(9) Obtain Plan Approval From the Executive Team and Board of Directors

Present the plan and test results from the plan execution tests to the CEO and Board of Directors for approval. Once approved, your organization now has a common framework of response in the time of a crisis. It has established greater organization resilience.

(10) Update the Plan and Practice on a Regular Basis

Consider your organization’s crisis management plan and its components (i.e., business continuity, crisis communications, and disaster recovery) a living document. The plan should be updated on an annual basis at a minimum to account for occurrences such as:

• Staff turnover;

• Implementation of new applications/systems;

• Business growth - real estate acquisitions/divestitures;

• Expansion of sales into new territories - states or countries;

• New regulatory requirements;

• New departments or functions; etc.

A practiced and comprehensive business continuity plan will enable your organization to proactively identify a crisis situation and respond nimbly to it. At the heart of successful crisis management, which is essentially reputation management, is planning a response to the unforeseen.

Glossary

• BCP - Business Continuity Plan

• BIA - Business Impact Assessment

• CLT - Crisis Leadership Team

• CCT - Crisis Communications Team

• DOA - Delegation of Authority

• DRP - Disaster Recovery Plan

• RTO - Recovery Time Objective

• RPO - Recovery Point Objective

Relevant Articles