How Much Crisis Planning is Enough?
One of the most important management competencies is planning. Crisis planning is the preparation of documented action steps designed to improve the organisation's response toward mitigating a disruption's impact on assets and resources. Long ago, I was given some sage advice prior to briefing proposed Crisis Planning improvements to the executive team.
My boss said, Remember Mike, whatever you're talking about, you're talking about money. This truism is an unrelenting one. In tandem with day-to-day operational constraints and limitations, the threat of an event evolving into a crisis consistently challenges an organisation's management team to walk a tight rope between adequate mitigation efforts and fiscal need. In balancing these competing interests, How much crisis planning is enough? is often a question posed.
Crisis planning is essential to monitor for, react to, and recover from organisational disruptions. There are 3 key aspects which provide indicators as to where your program resides:
- Developing and Monitoring the organisation's Risk Profile
- Defining and Communicating the organisation's Risk Appetite
- Ensuring Crisis Planning is Established, Implemented, and Effective
Developing and Monitoring the Risk Profile
Crisis is a disruption of normal operations which exceeds emergency response, or a condition where the entity has no pre-planned mitigation to contain or control the disruption. Maintaining a state of normalcy, for any organisation, is directly dependent upon the risks to their assets and processes.
The key to reducing the frequency and severity of a crisis is to fully understand the organisation's Risk Profile. The organisation's Risk Profile is derived from a methodology which determines how risk varies across comparable assets and processes. When developing the Risk Profile, management assesses the:
Origins of Risk
- Assets or Processes at Risk
- Vulnerabilities and the Effectiveness of Current Controls
- Probability of Occurrence and the Potential Impact/ Consequences
- Scores and Prioritises Risk (this aids in the Distribution of Resources)
After assessing these factors, management should determine if the residual risk is at an acceptable level. If unacceptable, the decision-maker has several options: apply additional controls, share the risk, separate the asset or process from the stressor, or accept the increased risk to the organisation's Risk Profile.
Planning is not a static concept. The effectiveness of risk controls can change rapidly. Once the Risk Profile has been developed, management must sustain an ongoing ability to detect, assess, and respond to environmental changes. Ensuring the diligent monitoring of climate and culture reduces the opportunity for incidents and emergencies to metastasise into crises.
Internally, the organisation should establish key performance indicators (KPIs) in monitoring operations, training, and exercises. KPIs enable fact-based decision-making to determine where the organisation's crisis planning should reside in the risk continuum. While 'How much crisis planning is enough?' is subjective, these performance metrics can provide leadership with critical data points to adjust the level of crisis planning to the current Risk Profile.
Defining and Communicating the Organisation's Risk Appetite
How much a risk decision-maker decides to assume has a direct relationship with 'How much crisis planning is enough?'. At all levels of the organisation, too many decisions are made with an incomplete understanding of the Risk Profile and the requisite capacity needed to effectively manage the risk.
To offset this, it is paramount that executive management defines the organisation's Risk Appetite. In this formal communication, executive leadership establishes the risks it considers most significant to strategic goals, objectives, stakeholder positions, and risk experience. This document should set the organisation's risk culture, tolerance levels, and approach toward managing risk. All strategic and operational plans and programs should be consistent with this crucial communication.
While there are several ways to manage the organisation's Risk Appetite, the program suite depicted on the left provides the foundational elements. This centralised programmatic approach of related plans provides a means to proactively reduce (outlined in gold) and reactively manage (outlined in red) organisational disruptions. This model requires executive sponsorship, managerial infrastructure, and a requisite level of planning. Executive sponsors provide goals and objectives, while plan managers create structure, provide guidance, and establish priorities.
Based on the organisation's current Risk Profile and established Risk Appetite; managers determine the plans approach, assign roles and responsibilities, manage resources, oversee change management, and report the results to the executive sponsor.
As shortfalls in the capabilities and effectiveness of risk management, emergency response, and continuity planning can lead to the organisation declaring a crisis; management should implement an audit and oversight function to preempt opportunities for a self-induced crisis. Considerations which facilitate the response to ‘How much crisis planning is enough?’ .
- How strong is the organisation's commitment to Risk Management Competencies?
- How effective is the organisation's Risk Management Plan?
- What metrics are used to evaluate the effectiveness of Emergency Response?
- What is the level of commitment toward Continuity Planning?
- How frequently are plans trained, tested, and exercised?
There is no suitable substitute for undertaking the effort to establish the organisation's Risk Profile and Risk Appetite. Without ensuring the underlying factors of risk (potential disruptions, consequences, and vulnerabilities) align with the organisations selected level of Risk Appetite; the efficacy of the applied mitigation measures will be largely indeterminate. Although crisis decisions will always contain a degree of uncertainty, those decisions should always be based on sound analysis. Otherwise, ‘How much crisis planning is enough?’ becomes moot.
Ensuring Crisis Planning is Established, Implemented, and Effective
The capability to respond to crisis in a rapid and effective manner is essential. At each decisive moment, everyone involved throughout the organisation should know the plan and manage it as designed. As trust and confidence are traits unwilling to lend themselves to surge efforts or compressed timelines, crisis planning warrants a strong focus on human dynamics.
Ensuring crisis planning is established, implemented, and effective provides the means to proactively determine the shortfalls in the organisation's capacity to cope or adapt to disruption. This final aspect reveals any major oversight and provides potential improvement opportunities. The product produced by the criteria on the left represents the composite picture for organisational leadership to determine, with confidence, 'How much crisis planning is enough?'.
When an organisation:
- Monitors its Risk Profile
- Establishes its Risk Appetite Statement
- Commits to the pursuit, development, and application of Risk Management Competencies
- Trains, tests, exercises, and audits the capabilities and effectiveness of risk reduction efforts
- Its crisis planning has a high probability to contain and control the impacts of disruption and return the organisation to a state of normalcy.
In that moment, the question 'How much crisis planning is enough?' will be answered.
BY MICHAEL PAYNE - Senior Advisor, Organisational Resilience iJET
Michael Payne is an ASIS International, Certified Protection Professional (CPP) and DRI International, Certified Business Continuity Planner (CBCP) leading iJET’s Organisational Resilience Department within the Global Operations Division. In this position, he is responsible for organisational planning/ readiness, security operations, strategy, assessments, evaluations, resiliency systems design and emergency assistance.
Michael has a distinguished career managing the operations, crisis/emergency response, protective strategies, physical security implementation, physical and cyber security integration, procedural development, and personnel situational awareness and safety for several critical infrastructure and key resource entities. During iJET critical response operations, he assumes the role of Global Operations Incident Manager, leading crisis surge management efforts for significant events such as major natural disasters, political situations, and terrorism.
Source: iJET Integrated Risk Management