Crisis management strictly spoken: Some FAQ

Author: Manu Steens

What is a crisis and what is not?

A crisis is an incident that an organization can no longer solve through its normal operations. The Crisis Management Team (CMT) then takes over the management of the problem and communicates with the Crisis Communication Team.
What are not crises? Everything that can be handled with normal operations: issues and incidents, if there is no wrong intention.
An issue is a small thing that the organization processes through day-to-day operations of a team of the organization. There is no negative impact for the organization. There is no event yet.
An incident is an event with a negative impact on the organization that is solved by the day-to-day running of one or more teams.
An issue can evolve in an incident. An incident can evolve in a crisis. But an issue can also evolve very quickly in a crisis. One crisis can develop in the sidelines of another crisis.
An event with malicious intent is always a crisis.

How does a crisis originate?

There are 4 types of origins of crises: (United States Secretary of Defense Donald Rumsfeld)
1. Known knowns
2. Unknown knowns
3. Known unknowns
4. Unknown unknowns.

The first two are called “Gray Rhino’s” in the literature. These are things that we know and are ordinary (known knowns). Often we simply forget that they are there (unknown knowns), until they are nearby and overwhelme us. (Unknown known can also mean that one does not want to face the problem.)
The latter two give rise to what is called in the literature the “Black Swans”. People know that something can go wrong but do not know what or where or when (known unknowns) (eg a terrorist attack, hacking, …) or you are simply not suspected of anything despite extensive brainstorming attempts and the like. (unknown unknowns). The latter are considered the most dangerous because they can easily disrupt the organization completely.
Often a seemingly innocent something that attracts no attention, triggers a crisis, after which a phase precedes the event, unless there is malicious intent. That is why one must continuously look at relevant matters internally or externally to the organization. This can be done with key performance indicators or key effect indicators, or with eg early warning systems.

How does a crisis work? And what types of crises are there?

A crisis has various phases. Almost every crisis is as follows:
1. A soft subcutaneous or suppressed phase leading up to an event with strong negative impact. (Phase before the event or prodromal phase).
2. The sudden event that is typically very short and has a strong negative impact.
3. The post-event phase where the negative impact takes a reasonably long time. In this phase, the operations of the CMT, CCT, CCP, CMP and BCP usually start. The time-critical processes are started on the BCP. Afterwards the essential processes and necessary processes will follow. All this is done at a predetermined minimum level of functioning. One must try to keep this phase short.
4. The recovery phase in which one goes back to an operating level of before the phase preceding the event. This can be done in the old way, or in a new way. The rule “Never waste a good crisis” applies here. By recovering you can do new and better things. Sometimes, however, people have to perform harder for a while during this period in order to get rid of overdue work.
5. Aftercare phase. Here the details are worked out. Afterwards, the process resumes its (new) normal (or improved) operation.

 

crisisverloop

We note that there are two major types of crises with this trend, namely 1) the historically known crisis types (with a possibility of more or less systematic approach) and 2) the new unprecedented crises (for which no plan exists). As a new unprecedented crisis type occurs once or several times, it joins the historically known crisis types because experience allows for a planned approach. Pattern recognition occurs in the members of the CMT, CCT and CRT.

How can you prepare?

The Romans knew: “Whoever wants to keep the peace must prepare the war!” (Flavius ??Vegetius Renatus in his Epitoma rei militaris: “Qui desiderat pacem, bellum praeparat”) and the same applies in business: who wants to preserve continuity must prepare the crisis .
That is one of the reasons to work on resilience of the company, including through BCM and risk management. There are techniques that produce a business continuity plan, help create emergency plans and describe methods of risk analysis and risk management approach.
Both these practices mention crisis management. For both the following things are worked out:

1. Setting up a crisis management team (CMT), Crisis Response Team (CRT) and crisis communication team (CCT).
2. The crisis management plan (CMP).
3. The crisis communication plan (CCP).

One of the most important goals of the preparation is being able to apply the principles. Training, testing and practicing of the CMT and the CCT are therefore not unimportant at all. This has to be done at both operational and strategic level with which one can test the different roles, the leadership requirements and the cooperation possibilities (also with third parties across borders). So one must practice both the historically known crisis types and the new unprecedented crisis types. The first are testing the plans, the second mainly the leadership requirements. Both test the cooperation possibilities.

It is crisis, what now?

 

-> Notification: how do you know? And who do you notify?

 

Everyone in the business unit has the right and duty to report a crisis. Many eyes and ears know more. The report to the crisis team can best be structured as simply as possible. That is why it is best to keep the channels as short as possible: it is best to give everyone of the CMT reporting duty directly to the chairman of the CMT or to the person who is on duty at the CMT. If the organization has access to an early warning system, the CMT should also keep its finger on the pulse.
The chairman or the person on duty of the CMT informs the members of the CMT and CCT. A notification can also very typically come from the CCT, because they have a very clear view on what happens externally.

 

-> Priorities: what is important, and what is most important?

 

There are many important issues when dealing with a crisis, such as (in random order):
– political interests, inside and outside the organization,
– environment,
– laws and regulations,
– financial interests,
– economical interests,
– energy supply,
– reputation,
– Others ….

However, the most important top three focus points of internal crises within the organization are (in order of importance):
1. the people of the business units and in the buildings of the organization,
2. the buildings and facilities including ICT,
3. the processes of the business units.

 

-> IBOBBO: how do you tackle a crisis?

 

IBOBBO stands for:
– Informatiegaring (Information gathering)
– Beeldvorming (Imaging)
– Oordeelsvorming (Judgment)
– Besluitvorming (Decision making)
– Bevelvoering (Command)
– Opvolging (Succession)
This allows you to create an agenda for the operation of the CMT. It is also a blueprint for a crisis management plan (CMP). To make it a project, a start-up phase and a final phase can be added: the triggering of the crisis and the aftercare phase

 

-> Who expects what from you?

 

The CMT and the CCT can best think about and write down the roles and responsibilities of the employees within the CMT and the CCT in advance. Pay attention ! This is not limitative and can never be interpreted restrictively. In short, it is the responsibility of the CMT to ensure that all measures required to exorcise the crisis are implemented quickly. It is also the task of the CMT to use the recovery phase as a project and to guide it in the right direction. The CMT is in this role in the role of sponsor and appoints a project leader.

 

-> Aftercare, what is that?

 

Aftercare is dealing with the details. It is doing that where you could pay little attention to its low point during the bustle of the crisis. It is to ensure that the crisis mode is completed, and that people can return to business as usual. It is the completion of the recovery phase.

 

-> A common thread: Play Jazz

 

No one can handle a crisis alone. That is why collaboration is necessary. In the heat of the battle, the ears and eyes of the members of the CMT must remain open to know who is the best to make a move. The person who sees the possibilities must be able to present these moves briefly and be able to execute them quickly. Speed ??in all aspects of consultation and action is often more important than completeness. Acting on each other is therefore extremely important. Crisis management and crisis communication practice is therefore not a luxury, neither on operational nor on strategic level. That is why not only a great exercise is useful, but to get aligned with each other, many smaller exercises are also!

Not unimportant: what if the crisis grows over you?

-> If the need is too high, the overarching CMT is close.

 

If the CMT of the affected business unit can not solve the crisis alone, it can call in the assistance of the overarching CMT of the organization as a whole. There is an escalation schedule for crises within the organization. Because the overarching CMT then takes on the responsibility of managing the crisis for the entire organization, it will always be useful to inform the overarching CMT in any crisis, so that it can already go into pre-alarm if deemed necessary.

 

National Risk Analysis 2014 – Norwegian Directorate for Civil Protection

Drawn up by: DSB – Norwegian Directorate for Civil Protection

This national risk assessment dates from 2014 but is still topical.

Anyone who takes the trouble to go through the work from A to Z will receive a fantastic reward for it:

–    The work has a large number of ‘cases’ of scenarios of what comes down to society (from Norway, but many are more universally), and therefore also to the organizations in that society.
–   
It is a good example of qualitative risk analysis elaborated in detail
–   
The uncertainty (uncertainty) on the qualitative classification of probability (here: likelihood) and impact (here: consequences) is also taken into account on the basis of qualitative arguments.
–   
At the same time, each case provides an example of a qualitative sensitivity analysis in the uncertainty analysis.

The cases are structured according to three classes: Natural phenomena, Major accidents and Malicious acts. In the end there follows an “overall risk analysis” in which the cases are summarized and in which a reasoning is worked out that elaborates on a statement by Einstein and one from Abraham Lincoln.

“Imagination is more important than knowledge. For knowledge is limited, whereas imagination embraces the entire world. “- Albert Einstein.

This is illustrated by the first telegraph line that was opened in Norway in 1855: do you think of a risk analysis of the dangers of a solar eruption with particles that seriously disturb its functioning, if you know that this phenomenon was only discovered in 1859?

So: “imagine the future”. How can we prepare for a future that we still do not know what it will look like? For this the statement of Abraham Lincoln applies:

“The best way to predict your future is to create it.”

Therefore, when reading the cases, pay attention to the idea of ​​what this case will look like in the year 2030, 2040 or 2050.

Good Practice Guidelines – 2018 Edition – The Global guide to good practice in business continuity

Published by The Business Continuity Institute

This edition of the GPG differs according to its own saying in numerous ways from the 2013 edition. Some of those that stayed with me are:

–    More collaboration of the BCM employees with other employees in other management disciplines.
–   
Supply chain was integrated more into the story.
–   
More links are being made to ISO standards.
–   
Risk assessment has gained importance.

There are other things that have changed, which are noticeable:

–    Throughout the work, the link is regularly made to information security, but without referring to the ISO 27K series.
–   
The BIA is still a 4-tuple, but the mandatory character has been changed to “use what you need”
–   
A distinction has been made between crisis management and incident management.
–   
There is a better explanation for strategic, tactical and operational plans in times of crisis. However, without mentioning that the choice is also important as a function of what one needs. This piece remained theoretically sharply separated.
–   
There is a beautiful table here and there with more explanation of what is meant, such as the table with specific core competences and management skills that are required by the BCM responsible, divided according to the 6 professional practices.

In the book, extensive attention was given to PP6: ‘Validation’. Practicing and validating the operation of the BC program of the organization is very important as the keystone of the cycle to its restart.

In summary, we can state that the book is important for the beginners in BCM, but also for the advanced as a reference book.

What I personally regret that lacks is a bibliography for each chapter. For further reading I have the feeling that the interested parties are somewhat abandoned. But then there is the URL of ‘The Business Continuity Institute’ where you can find more information. (www.thebci.org).

Business Continuity Strategies – Protecting Against Unplanned Disasters – Third Edition

Author: Kenneth N. Myers

In this book, the author discusses strategies for addressing two classes of catastrophic crises that can happen to an organization: the failure of computers, and violence and terror in the workplace.

Many times, the author fights two things concerning the first class:

–    Deciding too easily for a disaster recovery site where all business software is duplicated
–   
Making the wrong questions to the business people when determining the BIA.

As far as the latter is concerned, the consultants turn out to be asking the questions mainly structurally wrong, eg do not ask:

–    How long can you do without a PC?

Because then the answer is always something very short-lasting, like “24 hours”

Ask the question differently by confronting them with the actual situation that has occurred:

–    IT and the server network are available for 14 calendar days. What are you going to do and what do you need to continue / save the business?

Because of this other approach to ask the questions, the business people are much more aware of the problems that might arise and they start thinking better.

The author also gives a number of examples of alternative approaches to a number of branches in organizations during times of crisis, which can be applied in a large number of companies. This is to temporarily bridge the PC-less period, the time that the ICT department needs to make everything back up and running.

In this book the author tackles the question in a solid way. The first chapter is therefore about defining the issue. Then the chapters on computer problems and violence come to the workplace. Then he gives some advice on how to approach a contingency plan. He also gives some attention to awareness and training.

Apart from the number of alternative examples of the possible practices in case of a computer outage, for which a disaster recovery website is good and what is not, and how the questions need to be asked to the business for drawing up a BIA and the related contingency plan, the book remains theoretically at a good level. It therefore classifies itself on a level above that of beginners.

Business Continuity Management – Building an effective Incident Management Plan.

Author: Michael Blyth

In this book the author works steadily towards his goal in the first three chapters: demonstrating the importance of Incident Management Plans (IMP), in addition to a BCP.

In addition, in chapter 4 he describes the inevitable: “what if?” Is the key question for some 40 cases, each of which is explained in text form, with chapters 5 and 6 providing the promising basis for the elaboration plans and questionnaires.

Chapter 5 gives the guidelines of the plans, in which there is a principle of a triptych: a first table is filled in to get an idea of ​​which (part of) the organization is involved. An outline of entity, place, time … Then the steps to take are taken: these have been drawn up as a so called “Guideline”, not to follow slavishly, but by interpretation. The third part of the guidelines forms the framework with suitable organizations / key persons that can be contacted.

Chapter 6 provides questionnaires, one per IMP, that can be used to estimate the situation, in addition to the questions of “SAD CHALETS”, the mnemonic used by the English Police to get a view of the situation. In addition, this chapter also contains a template for a risk assessment, which can be used during the crisis, to estimate the evolution of the crisis.

The book also contains a URL with password, where you can find the English text of chapters 5 and 6 in a word document for further development tailored to your own organization.

The book is thus actually a book for doers, with, to a limited extent, an introductory theoretical exposition.

However, in terms of IMP for cybersecurity it has not been worked out enough (which I think could have been a separate piece). Other threats have been worked out. Some threats are becoming more and more relevant for affiliates in the USA and elsewhere with current climate changes. Other are more universal in nature.