Even the most comprehensive risk assessment can have “blind spots,” or unforeseen crises, that leave an organization unprepared. It is essential to identify and assess risks that may pose a threat to an organization’s operations and assets and then develop strategies and — equally as important — a well-staffed, well-trained active crisis management team to mitigate and manage them.
A well-developed crisis management plan, or a comprehensive strategy, is crucial to help an organization respond to and manage unexpected events or situations — including blind spots. The plan typically outlines the procedures, roles and responsibilities, and communication channels that will be used during a crisis. It also includes steps for assessing the situation, making decisions, and taking action to minimize the impact of the crisis.
Without a plan and a team in place, organizations can be caught off guard and struggle to react in a timely manner, resulting in significant financial losses and reputational damage.
How a risk assessment can identify risks, threats, and vulnerabilities
It all begins with a risk assessment, a holistic approach to identifying all of the threats, vulnerabilities, and consequences that are associated with the potential risks an organization may face. A threat can be anything — including weather, natural disasters, and health pandemics — that has the potential to:
- Disrupt business;
- Interfere with operations;
- Harm employees or physical property; or,
- Subject a facility to liability.
Understanding the types of crises that can occur is the first step in developing a crisis management plan.
“Typically, organizations spend a lot of time on their interior risk assessments and crisis management plans,” said Mike Eddlemon, Senior Managing Director, CANAM. “Those are structural risks if you will, but what leaves them vulnerable are the variable risks. COVID is a good example of that.”
Structural risks are those that are inherent or built into a system, process, or organization, and therefore are predictable and can be quantified, such as the risk of loss due to equipment failure or the risk of a cyber-attack due to outdated security systems.
On the other hand, variable risks are those that are influenced by external factors that are harder or impossible to predict or control, such as changes in market demand, natural disasters, or pandemics, all of which can have a significant impact on the business environment. Effective risk management should take both types of risks into account and develop crisis management plans to mitigate potential losses in both areas.
“Blind spots develop because companies aren’t keeping a closer eye on how the structural and variable risks are changing for them,” said Tim Williams, Pinkerton Vice Chairman. “No two organizations are completely similar in terms of all the aspects that are involved in that particular crisis.”
It may be tempting to take a “one size fits all” approach to risk assessments, but risks and vulnerabilities are truly unique from business to business. The simple fact is that an organization in Philadelphia, PA, and an organization in Seattle, WA will each face unique threats. Even different locations within the same organization will face different threats.
Organizations need to take an honest look at all of their potential and unique risks and how an individual location can best respond to risks should an incident occur.
Who to include on an effective crisis response team
“If I were to drive home one thought to organizations, it’s that you can’t do without a very well-staffed, well-trained active crisis management team,” said Tim. “And you need a team with knowledge of the business and the flexibility and emotional intelligence to be able to manage any crisis because there are going to be variables and variations to every crisis.”
A well-staffed crisis management team should consist of a diverse group of individuals from various departments and stakeholders. This should typically consist of employees from the human resources and legal departments, as well as key stakeholders from public relations, IT, and various other business units. The team should be diverse in terms of talent, qualifications, and engagement.
“When you are developing a crisis management plan, construct the main team and choose alternates. You always need to have alternates on the team. Then invite in various other staff functions who may not be represented on the team just to observe the dialogue and the other developmental processes so they can appreciate the decision making,” said Tim. “When they see the deliberative process and the nature of the events that are being managed, it reduces anxiety, and you get buy-in.
“Participation in the process and development also raises awareness, which gets you over that first momentous hurdle in crisis management,” he said.
How to establish clear crisis communication protocols
Whether it is a natural disaster or a global pandemic, clear communication is vital when responding to a crisis. Organizations must establish communication protocols to ensure everyone is aware of the situation and what actions are being taken — and avoid another potential blind spot.
“For example, during the COVID-19 pandemic, organizations needed to quickly establish protocols for communicating with employees remotely,” said Tim. “A lot of organizations were unprepared, and there are many organizations that are no longer here. The ones who took this to heart are still here and will be more than prepared for the next pandemic.”
Just like establishing a crisis management team, organizations should identify the key stakeholders who will be responsible for communication. This team should include representatives from various departments, such as human resources, legal, public relations, and IT. Each member should be assigned specific roles and responsibilities to ensure that communication is effective and timely.
Messaging should be consistent across all communication channels, including social media, email, press releases, and website updates. Moreover, organizations must be transparent in their communication to maintain the trust and confidence of their stakeholders. This includes being honest about the situation, acknowledging any mistakes, and providing regular updates on the progress being made to resolve the crisis. A clear and concise plan can make a critical difference in the effectiveness of your organization’s response to crises.
The benefits of regular crisis plan simulations and scenarios testing and training
An effective crisis management plan is only as good as the people who execute it. Regular training and testing of the crisis management plan, including simulations, are crucial to ensure everyone understands their roles and that the plan will work in practice.
“I’ve seen plans that are several years old where team members are no longer on the team or even with the organization. The plans hadn’t been updated or tested,” said Mike. “Perhaps at one time, the plans were accurate. The organization feels like they were prepared because they worked on the project and had a team together. But when a crisis hits, they’re not prepared. Crisis management plans are not a ‘one and done’. They are very perishable. And they take a lot of maintenance.”
Plans need to be revised and updated, based on the evolution of the organization, changing risk landscape, new technologies, industry insights, and recent crises.
“Testing and maintenance is a business function, and it must be at the forefront of the business. Otherwise, how do you know it works?” said Mike. “An organization’s core objective is not typically security, but how does the organization fulfill its core objective? It all goes back to protecting its people and assets and the delivery of service or goods.”
Tim elaborated further, “When we test plans, we run scenarios. We invite C-suite executives and vice presidents to watch the process to educate them. We ask them to take two to four hours out of their day, once a quarter, to come in and watch the process unfold so that they would know how to react and interact with the crisis management teams.”
“To Tim’s point,” said Mike, “it’s almost impossible to come up with every potential scenario that may impact the business. But when you have a team and comprehensive plan in place — and it’s tested and exercised — the team will know the organization’s resources and capabilities. They can quickly adapt and navigate.”
When to start planning crisis external emergency response
In some cases, a crisis may require access to external resources, such as emergency response, protection, or cleanup services. Organizations should work with providers to establish relationships ahead of a crisis. Sourcing contractors during or after an incident, depending on the nature of the incident, can be difficult and may cause further business interruptions and impact.
By planning for potential crises — and blind spots — testing and improving crisis management plans, and training employees for any contingency, organizations can more effectively and efficiently respond when they do occur. With the right planning and practices, even the most severe crises can be mitigated.
Pinkerton’s structured approach to preparation and prevention helps organizations map out policies and procedures before incidents happen. And should an event occur, we can provide services to assist you with business continuity planning and recovery, both locally and globally. Let’s work together to keep your organization secure and your assets protected. Connect with a Pinkerton trusted risk advisor.
