A full 100 percent of companies experienced at least one critical event in the last two years, according to a 2018 Forrester study. And the effects of those crises can be catastrophic, especially for small and medium-sized enterprises who run a higher risk of business closure.So, how will organizations tackle near-inevitable corporate crises? The short answer is developing a best-practice crisis management capability. But, of course, there’s been a paucity of relevant standards. That is until BS (British Standard) 11200.
Indeed, international standards have traditionally been the sources of best-practice information, with the International Organization for Standardization (ISO) putting out multiple, useful, management system standards in the integrated safety and security space, e.g. emergency management (ISO 22320), business continuity (ISO 22301), and physical security (ISO 27001). Crisis management has long been underserved, though. The body’s ISO 22398 societal security standard is limited in scope; meanwhile, an end-to-end, full lifecycle standard is only in the working group phase.
It’s thus fallen to national standards organizations to fill the gap, with the British standard taking the lead. What’s so special about BS 11200? For starters, it provides in-depth, best-practice guidance, “[setting] out the principles and good practice for the provision of a crisis management response… [with the intention] to aid the design and/or ongoing development of an organization’s crisis management capability.”
What’s more, unlike other standards and specifications in the space, BS 11200 isn’t prescriptive. It’s written for business owners and managers, to whom it details which capabilities (their) organization needs in order to consider itself crisis ready.
Another key to the business case for BS 11200 is the care it takes to explicate the differences between incidents. Why do these ostensibly theoretical distinctions matter? Turns out the distinctions have real-world impacts. For one, incidents are important crisis triggers.
More specifically, incidents are adverse events that might cause disruption, loss, or emergency. As for crises, critical events of that sort are abnormal, unstable situations that threaten the organization’s strategic objectives, reputation, or viability.
In terms of urgency and pressure, for instance, incident response usually spans a short time frame of activity, resolved before exposure to longer-term or permanent significant impacts on the organization happen. Crises, on the other hand, have a higher sense of urgency. Their response might run over longer periods of time to ensure that impacts are minimized.
Organizations must also take different tacts to minimize impacts arising from incidents (which can be potentially widespread) and crises. The impacts of incidents can often be mitigated just by applying appropriate, predefined procedures and plans, for which there are usually available, adequate resources.
Not so for crises, which are definitionally novel, of greater scale, and more uncertain. Crises are rarely resolvable through the application of predefined procedures and plans. Instead, those procedures and plans must be combined with a flexible, creative, strategic, and sustained response, rooted in sound crisis management structures and planning. How, then, do organizations implement those structures and undertake those planning efforts? You’ll have to read the standard to find out.
Don’t have the time? We’ve written a comprehensive explainer to guide your efforts to develop a best-practice crisis management capability at your organization. Download our Guide to BS 11200.