Ensuring compliance with regulatory requirements is critical to your business. But crisis and business continuity planning – often mandated by law – shouldn’t be a box-ticking exercise. Unfortunately, too many firms fall into the trap. What risks do those companies face treating crisis preparedness as a compliance-first practice?
First things first: regulatory mandates are ubiquitous. In the U.S., for instance, employers with more than ten workers must have written emergency action plans that specify what workers and others at the workplace should do in the event of an emergency.
That particular requirement, an extension of the broader duty-of-care obligation, is common around the advanced world. And compliance-minded firms know better than to ignore it.
But while those firms must acknowledge their compliance through the development of crisis management plans, the plans themselves shouldn’t be undertaken through a compliance prism. Why? A compliance-first posture only gives organizations license to leapfrog over the vital risk assessment phase of crisis planning – i.e. identifying and analysing the most-likely hazards to occur at the workplace in question – and proceed right to copying and pasting popular crisis plan templates.
Of course, there’s nothing wrong with working off of a pre-set template. After all, many of those templates take from industry best practices. However, the evidence shows that carefully customizing your crisis plans (even your prefab templates) to your organization’s specific crisis risk factors better prepares you for crisis – so too does integrated crisis management software. On the other hand, simply copying a plan might get the job done in the short term, but at a cost. The price being it leaves teams uninterested and uninvested in the resulting plan. More often than not, that plan ends up getting shelved, only to be recovered, untested, when crisis strikes.
And that’s not the only pitfall of taking a compliance-first approach to crisis planning; there’s also the diametrically opposed approach to the copy-and-paste model. What’s that: creating lengthy, overly-detailed plans that address every possible crisis contingency – no matter how unlikely.
Sure, those plans satisfy the statutes – and then some. However, we here from practitioners that those overly prescriptive plans are simply not actionable. In fact, they often frustrate the people tasked with executing them. Like prefab templates, they end up getting shelved.
So, what’s the answer? Well, instead of developing plans simply to meet regulatory requirements, teams should strive to create flexible modules, playbooks that can dynamically adapt to fast-changing crisis situations. Those plans will be comprehensive in scope without being laborious.
What’s more, crisis plans, even comprehensive, best-practice plans, can’t be treated as static documents. They have to be living documents, constantly revisited through routine training exercises. Those exercises help surface flawed assumptions in the plans before it’s too late. And re-testing the plan also helps the business prepare for new crisis triggers, as company risk factors change.
The moral of the story. Regulation always impacts planning – how could it not? But crisis preparedness is a strategic business function and shouldn’t be a mere matter of compliance. To better prepare your company for every stage of the crisis management lifecycle, start by conducting a careful risk assessment. And for more tips on how to avoid planning pitfalls and develop robust, dynamic plans, download our crisis planning guide.