In developing a crisis management plan, it helps to understand what crises are all about. Simply put, a crisis is an unanticipated event or issue that disrupts the day-to-day operations of your organisation. Depending on its nature and severity, that crisis has the potential to create significant financial, safety, security, and/or reputational harm.
By definition, crises are unpredictable. Companies sometimes get hung up on all of the possible bad things that can happen. When coming up with a crisis management plan, though, you simply can’t plan for every contingency. It’s not practical.
Instead, we counsel starting to crisis management plan for the likeliest crises to strike your company. How to get started? Here are the ten steps we recommend following to develop an effective crisis prevention and management plan.
Cyber incidents have long topped the list of most common incidents. But the COVID-19 pandemic suggests those crises aren’t the only disruptions you have to worry about.
Other likely disruptions include environmental disasters, reputational threats, leadership or governance failures, liquidity or capital problems, etc. More generally, the most common crisis types include the following:
Irrespective of type, crises tend to unfurl in set stages: pre-crisis, crisis response, and post-crisis and recovery. The management of the crisis should also be ordered around those set phases: prevention and preparation for pre-crisis, crisis response, then the evaluation of what went wrong and looking for ways to better improve preparations for next time for post-crisis.
To be considered fully prepared, your crisis management plan should account for each stage. That entails taking intelligence gathering and constant monitoring as your default mode of crisis management, or approaching crisis management as a lifecycle. Here are the elements of the crisis management lifecycle:
Understanding the crisis management stages matters, because it’s during the pre-crisis stage that you’ll undertake the bulk of your crisis management planning. In other words, you’ll be putting in place the processes and procedures to deal with the effects of disruptive incidents. So, what should go into the resulting crisis management plan?
Well, the short answer is it depends. Specifically, your crisis management plan hinges on the answer to a couple of questions:
Moreover, before committing pen to paper on your crisis management plan, you need to have a firm grasp of performance objectives. What would constitute success? What are the KPIs you’ll be tracking?
If you can’t answer those questions immediately, that’s ok. Some of the responses will depend on the results of your vulnerability audit.
The vulnerability audit is a multi-disciplinary risk assessment you’ll undertake to determine areas of operational weakness and come up with solutions to the areas. The purpose of the audit is to uncover current and potential threats in a variety of forms:
Another objective of the risk assessment is to develop a list of potential crises and to rank them in order of likelihood of occurring and associated costs of dealing with the impact. If you’re building a new (or re-evaluating an old) crisis management plan after the conclusion of a crisis, use the crisis post-mortem to inform your risk assessment.
After coming up with a list of objectives and likeliest crisis scenarios, you can proceed with drafting the crisis management plan proper. The plan itself will have to be flexible enough to adapt to multiple situations. In other words, think about creating modules, rather than adopting a one-size fits all approach.
If you already have a crisis management team, you’re a step ahead. Not completely out of the woods, though. That’s because everyone in the organisation needs to be involved in the crisis management effort, not just your experts.
Indeed, the effort benefits when the entire staff is onboard, whether detecting early warning signs or helping in the crisis response and recovery. As for the team driving the effort, you’ll certainly need C-suite representation, as well as senior managers from the company’s most important business units, including Finance, HR, Operations, IT, Risk, Communications, Legal, not to mention the dedicated Crisis Managers.
A final word: avoid bloating your core team. When crisis strikes, unnecessarily large teams often hinder efficient decision making.
An important, but oft-forgotten, step in crisis management planning is pre-defining what actually constitutes a crisis. In other words, how do you know when it’s time to call in the crisis management team?
Here things get murky, because crisis itself is murky. For instance, you won’t trigger your crisis management team to deal with slow-burn issues. But you should document all the criteria and indicators you will use to determine whether a crisis has actually occurred. The case of an active shooter or earthquake might be clear. But when would you bring in the team to handle a more ambiguous reputational crisis?
In addition to setting activation guidelines, consider other logistics, like defining the chain of command structure for specific scenarios and where to set up your crisis command centre or off-site gathering points in the case of an evacuation. In the case of the former, multiple locations might be necessary, especially in this era of social distancing: somewhere at headquarters, in the cloud, as well as an off-site location in the event that your headquarters is seriously compromised by the crisis.
It’s usually the job of HR to compile and update the contact information for all of your employees. That information then gets stored in a people management system. Accessing those systems is difficult in the best of times, much less during an emergency.
And so, we recommend when planning for crises to ensure that your crisis management team has critical information (including emergency contacts,) not just for your employees but also for other relevant stakeholders. Procuring crisis management software that syncs with your existing people management system will make this task exponentially easier.
Along those lines, develop and communicate (ahead of time) the protective actions you’ll take to ensure the safety of your employees, such as evacuation, lockdown, etc.
When crisis response goes awry, flawed communication is often the culprit. During a crisis, bad communication can mean any of the following:
Combatting those common crisis communication errors requires planning ahead of time, i.e., developing a crisis communication playbook within the larger crisis management plan. The playbook will include the following:
Many smaller organisations don’t have dedicated, in-house PR resources. For the purposes of crisis communication planning, those firms should consider investing in external PR resources. Make sure that once on board, those resources get to weigh in on your crisis communication plan and remain fully abreast of updates.
Preparing for a crisis means playing the odds. You don’t plan for the worst-case scenario; you plan for the likely crisis. That’s why teams prioritise crisis communication: every crisis will have a communication component.
In the same vein, you should come up with individual playbooks (or action plans) for the specific crisis scenarios you outlined in your risk assessment. Like the larger crisis management plan, those playbooks should be flexible, responsive modules.
Ensure that these action plans, as well as the master plan and other documents and policies, are easy to deploy and refer to during a crisis. Preferably, they should be available in digital format in your crisis management software platform.
Finally, developing a comprehensive (yet flexible) crisis management plan is only half the battle. You still need to train your team so that they’re comfortable performing the tasks assigned to them. It is through regular training exercises that you identify flaws in your crisis management planning and approach.
First of all, make sure your team feels empowered to tweak the plan as the situation warrants. This is in fact one of your central crisis training goals: appreciating when and how to go off script to get through an active crisis intact.
However, if your team does need to deviate from the plan during training, have them document what they’ve done, why they’ve done it, and the results of doing so. Those findings will be incorporated into the latest edition of the plan.
Additionally, in the case of emergency planning, try to coordinate training with the public safety agencies who’ll be called in in the event of a disaster. Those agencies will be an important part of controlling the emergency, so bring them into pre-crisis planning as soon as possible.
Finally, don’t neglect resource management. You won’t just be training personnel; you’ll also be regularly assessing the capabilities and availability of your (human and non-human) resources. To keep detailed track of all of your resources, consider procuring crisis and emergency management software with resource management capabilities.
To cap: as the saying goes, failing to plan is planning to fail. And in the case of a crisis, planning failures themselves can be spectacularly costly. Don’t pay the price. Follow our ten steps and start creating (or updating) your crisis management plan today.
And if you have a plan, don’t neglect crisis management software that will make that plan accessible to you in a digitised format, perfect for when crises strike anywhere. Not sure what capabilities you need? Download our buyer’s guide to crisis management software.
Published May 19, 2021