Crisis and Risk Management

61In today’s world of terrorist attacks and natural disasters, every company large or small, needs to employ risk management techniques to assess and avoid potential threats wherever possible.

Most of the types of planning discussed here will only be appropriate for large organisations, who will have the manpower and budget to overcome major crises. However all companies, large or small, would be well advised to devote a little time to how they can take protective measures with a little forethought and planning.

A very high percentage of businesses affected by an incident such as data loss, will never resume trading, or will cease trading within a year.

Large companies may have responsibilities to shareholders as their rationale for risk management and disaster planning, but smaller companies also have valid reasons to include them in their management activities. Protecting the company and its future is the top priority for most business owners.

Any large business that uses the outsourced services of smaller third parties or subcontractors will prefer to work with suppliers who have a Business Continuity Plan in place. In fact they may specifically exclude those who don’t.

What constitutes a crisis?

A crisis would normally be considered as an event that was unpredictable, or, the event may have been foreseen, but not its consequences. Either way the situation now offers a threat to the wellbeing of a company and requires urgent decisions and actions for damage limitation.

There are potentially several types of crisis, here are a few examples;-

  • Natural disaster, such as fire, flood, tsunami, earthquake, storm
  • Technical crisis, such as failure of IT systems
  • Utilities failure, perhaps through power cuts or storm damage
  • Terrorist attacks
  • Political – boycotts, strikes, sit ins, blockades
  • Product recalls due to defects, or tampering with products
  • Management misconduct – perhaps fraud
  • Poor business performance, shareholder unrest, share price drop.

Emergency Plans

Some risks are more likely than others, so all companies would be well advised to put certain basic processes in place, such as employee inductions that cover evacuation procedures, fire drills, what to do if a fire is discovered , or if a colleague is injured. Door security is also a simple but important issue.

Emergency plans should assign roles and responsibilities to people who will take charge in an emergency, such as fire wardens or first aiders. The responsible people should be known and clearly visible to staff, their authority easily recognised in an emergency. They may be issued with high visibility vests, jackets or armbands for easy recognition. The process for fire drills and evacuation should be rehearsed regularly, with everyone knowing what action is expected of them.

Crisis Plan

Many organisations will have a crisis plan in place, and a nominated crisis manager who can implement a pre – agreed plan. The plan will vary depending on the type of crisis, and there may be one for each of the type of risk itemised above.

The crisis management plan will define the process to identify and assess any serious situation that arises, deal with threats and emergencies throughout their duration, ensure damage limitation, and plan for business resumption and post crisis recovery.

Crisis Management has several stages;-

  • Preparation and prevention
  • identification or anticipation of the crisis
  • Limitation and damage control
  • Managing the change
  • Business recovery
  • Reviewing and learning lessons

How does Crisis Management work?

The crisis poses a threat to the reputation or survival of the business. It may range from inappropriate behaviour by a member of staff, to the closure or withdrawal of some of the company’s products or services. Perhaps a service user is unhappy with your company and has contacted the press.

The power of the online media allows news to spread quickly. Managing the crisis effectively is vital to minimising damage.

If the business has a plan in place for when something goes wrong, this allows the business to act quickly and effectively, to avoid or minimise the threat. The plan should look at every possible impact on the business.

How does Business Continuity Management differ from Disaster Recovery Planning?

Disaster Recovery Plans tend to focus on recovery of the IT aspects of a business such as offsite backup systems, and cloud storage.

A Business Continuity Plan addresses all the issues necessary to keep the business running. It will include strategies to minimise disruption to customers and employees to ensure a crisis is managed effectively before it escalates to a disaster.

Business Recovery Plan

This is the plan to allow resumption of normal business as soon as is practical, e.g. a defined process for staff to follow in the intervening days, such as somewhere for staff to gather and begin work.

Contingency Plans

This may be a series of separate plans to deal with events that may seriously impact operations, and may include practical issues such as;-
How would employees and customers be advised of business disruption?

What would be done about customer orders due for delivery during business disruption?

Where and how would the business operate if the premises were closed?

How long could the business function if computer or telephone systems were down? What other arrangements would be used short term? How would staff and customers be contacted? Would production be affected? How would you access vital data?

If your information was hacked, would sensitive information fall into the wrong hands, say a competitor’s? What might the effect of that be?

People are usually a company’s most valuable asset. The loss or injury of employees is a serious problem. If several members of the team left in a short time period, perhaps through maternity or paternity leave, illness, retirement, or went to work for a new competitor, how would your business be affected?

The answers to these questions will feed into the Business Continuity Management (BCM) plan.