Crisis Management Audit Plan

Transcription

1 Contributed 8/30/99 by Denys Martin, Background and Rationale You come to your office for the beginning of your workweek and because of some unforeseen event there are no employees, no working telephones, no functioning computers, no utilities. You're the Chief Executive. What would you do? Where would you start? Unquestionably this is a crisis. Remember that you have access to almost none of your regular business tools. If this had been an actual incident; such as many businesses experienced in Wellington, New Zealand in 1997, it would already have been too late to concern yourself with developing a Crisis Management Plan! You need to have a Plan in place to ensure continuity of operations. But, what kind of Crisis Management Plan is an effective one? You need to ask: "What is a crisis for my organisation?" For this audit, the following definition will be used: A crisis can be defined as any unplanned event, occurrence or sequence of events that has a specific catastrophic consequence. Natural disasters, IT viruses, financial manipulation, societal disruption, pollution and stringent regulations are but a few examples of potential crisis situations. The reasons for focusing on these issues may result from a commitment to protect the public, the employees, to comply with government regulations or to protect their organisation from possible liabilities and litigation. The consequences for not focusing on these issues can be disastrous. Audit Standards: A cohesive Crisis Management Plan should have the following components: Compliance Preparedness Training & Resource Development Information Management Critical aspects that must be in the Crisis Management Plan: Effective coordination of activities within the organisations ; Early warning and clear instructions to all concerned if a crisis occurs; Continued assessment of actual and potential consequences of the crisis; Continuity of business operations during and immediately after the crisis. A brief synopsis of the common weaknesses in Crisis Management planning may prove helpful. Possible weaknesses to verify: Denys Martin, MBA, CIA, FCPA 08/30/99 5:53 AM 1 of 5

2 1. No systematic collection of planning information. This includes such aspects as risk analysis, organisational information, relevant laws, company policy procedures and location specific data. 2. No systematic dissemination of planning information. 3. Failure to identify and establish an incident command structure. This is a common pitfall as many planners try to fit their organisation into a standard incident command system not designed around their particular needs. 4. No, or minimal, coordination with affected entities. Poor communications with external dependencies such as the community, neighboring industries, identified support entities (fire, police, hospitals, etc.) can lead to confusion and chaos during an emergency. A simple issue such as who is the primary contact for offsite agencies during an emergency can cause major disruption during an incident. 5. Lack of, or poorly defined, Organisational Responsibilities. Failure to provide clear, concise procedures defining a person's functions, duties and tasks upon assuming their emergency organisation position. 6. Once developed the Plan is not or is, at best, poorly maintained. The Plan may have been developed to meet a regulatory requirement. 7. There is no provision for testing and review or continued evaluation and periodic update of the material. For example, changed information, such as telephone numbers maybe buried in various paragraphs throughout the plan. 8. The material that was developed is not user-friendly. The plan may contain too much information. Unfortunately, the user has to be a brain surgeon to figure out his/her role in its implementation. There should be simple, easy-to-use supplemental materials that can be used as a quick reference guide during an emergency. 9. Training relevant personnel on the plan and their role in its implementation. 10. The plan needs to be disseminated to the authorities. Failure to include appropriate parties on the distribution list most often leads to failure on their part to respond in the manner hoped for. COMPLIANCE The risk assessment is the initial step, toward reducing vulnerability. All relevant levels of management should become part of the Crisis Management Plan. This can be achieved in several ways: 1. Senior manager directly responsible to top management and the board of directors. The formal assignment of a senior manager to the position such as "Crisis Management Plans, Director," or some other appropriate title, can accomplish the initial portion of this item. Additionally, there should be within the individual's job description some measurement standard to evaluate performance. Denys Martin, MBA, CIA, FCPA 08/30/99 5:53 AM 2 of 5

3 2. Set aside specific time for reports on crisis management preparedness issues. This can be accomplished by preparing an agenda for senior staff and board of director meetings that includes a discussion of crisis management preparedness as a mandatory item. They should give it more than lip service though. Also, they must make the discussion substantive. Provide more than the dull and tiring statistics on reportable accidents, etc. Include all levels of personnel in the presentation process. 3. Make crisis management planning issues part of the strategic planning process. In one aspect, government regulations are defining strategic implications for companies. 4. Communicate compliance through all levels of the organisation through company policy and procedures. This can be accomplished through formal adoption of policy at the highest levels of the company. Generally, this will require the approval of the Board of Directors. PREPAREDNESS Preparedness used in the broadest context means any and all measures taken to prevent, prepare for, respond, mitigate and recover from a crisis. It's with this perspective that we begin to breakdown the aspect of Preparedness. Preparedness consists of four critical aspects: Preparation and Prevention Detection and Classification Response and Mitigation Reentry and Recovery Preparation and Prevention: Any set of activities that prevent a crisis, reduce the chance of a crisis happening, or reduce the damaging effects of a crisis. Preparation and Prevention activities include, but are not limited to: Development and implementation of the Crisis Management Plan Development and implementation of Crisis Management Plan Implementing Procedures Development and implementation of Crisis Management/Response Training Detection and Incident Classification: Actions taken to identify assess and classify the severity of a crisis. Detection and Classification activities include, but are not limited to: Activation of Crisis Management Systems Escalation of Crisis Management Plan Implementing Procedures Escalation of the Crisis Management/Response Organisation Response and Mitigation: Actions taken to save lives prevent further damage and reduce the effects of the crisis. Response and Mitigation activities include, but are not limited to: Crisis Management/Response operations Subsidiaries Crisis Management/Response operations Denys Martin, MBA, CIA, FCPA 08/30/99 5:53 AM 3 of 5

4 Continuity of business operations Recovery: Actions taken to return to a normal or an even safer situation following the crisis. Recovery activities include, but are not limited to: Activation of the Recovery Plan Coordination with subsidiaries TRAINING The training of the Crisis Management/Response Organisation is one of the critical success factors that must be addressed if an adequate response is to be achieved. The development of the compliance Plan, involvement of all levels of management and establishing preparedness is only part of the overall process. To ensure an adequate response, a trained organisation is required. A "systems" approach to preparing effective training Plans should consist of: 1. TASK ANALYSIS: determine the skills, knowledge and procedures required for satisfactory performance of each task. 2. INSTRUCTION: Lessons are systematically presented using appropriate instructional methods. Instruction may include lecture, self-paced or group-paced mediated instruction, simulation and team training. 3. EVALUATION: Performance standards and evaluation criteria are developed from the learning objectives. Each trainee's performance is evaluated during the course and during field performance testing. 4. DRILLS: In addition to the formal training Plan, need drills and exercises. INFORMATION MANAGEMENT The need to establish and maintain an ongoing dynamic Crisis Management Plan is essential. In order to facilitate planning requirements, a record of all initiatives should be retained. These records serve to document the accomplishments, requirements, commitments and reports relating to various Plan requirements. The identification of commitments in the areas of compliance, emergency preparedness and training is vital. The establishment of a defined information management system structure will ensure that documentation will be available when needed. Senior management must be kept well informed. Information is a corporate asset. Information is expensive. It must be shared and managed effectively. Information management is also critical during a crisis. The need for active systems to provide information on materials, personnel, capability information on materials, personnel, capabilities and processes is essential. It is extremely important to have a system (and adequate back-up systems) in place that serves to identify, catalog, Denys Martin, MBA, CIA, FCPA 08/30/99 5:53 AM 4 of 5

5 set priorities and track issues and commitments relating to crisis management and response activities. QUALITY ASSURANCE The Crisis Management Plan should be independently audited for quality assurance from an independent source who can certify the adequacy of the process. Denys Martin, MBA, CIA, FCPA 08/30/99 5:53 AM 5 of 5