Why Crisis Response and Business Continuity Plans Fail



Similar documents
Business Continuity Training and Testing: Narrowing the Gaps

Chapter 1: An Overview of Emergency Preparedness and Business Continuity

Human Resource s Role in Crisis Events

Keys to Narrowing Business Continuity Planning Gaps: Training, Testing & Audits

Intel Business Continuity Practices

EMERGENCY PREPAREDNESS PLAN Business Continuity Plan

How to Design and Implement a Successful Disaster Recovery Plan

Building and Maintaining a Business Continuity Program

With the large number of. How to Avoid Disaster: RIM s Crucial Role in Business Continuity Planning. Virginia A. Jones, CRM, FAI RIM FUNDAMENTALS

Emergency Response and Business Continuity Management Policy

This presentation will introduce you to the concepts and terminology related to disaster recovery planning for businesses.

NHS 24 - Business Continuity Strategy

Business Continuity Planning and Disaster Recovery Planning

Business Continuity at CME Group

Overview of Business Continuity Planning Sally Meglathery Payoff

Table of Contents... 1

7 FAM 1843 RESPONSIBILITY OF GOVERNMENTS

Continuity of Operations Planning. A step by step guide for business

RSA ARCHER BUSINESS CONTINUITY MANAGEMENT AND OPERATIONS Solution Brief

Business Continuity Planning advice for Businesses with employees

Planning & Response Considerations for Mass Shooting Incidents

Sample Model Security Management Plan

D2-02_01 Disaster Recovery in the modern EPU

Assessment of natural hazards, man made hazards, technical and societal related risks and associated impact.

Disaster Recovery and Business Continuity What Every Executive Needs to Know

An Introduction to. Business Continuity Planning

Bus incident management planning: Guidelines

IT Disaster Recovery Plan Template

Business Continuity and Crisis Management

<Client Name> IT Disaster Recovery Plan Template. By Paul Kirvan, CISA, CISSP, FBCI, CBCP

Business Continuity Plan

The Role of School Nurses in School Emergency Management Planning. Webinar December 14, :30 pm EASTERN

EXECUTIVE CRISIS MANAGEMENT TRAINING. Presented by Roseanne Rostron, CBCP Raido Response

PAPER-6 PART-3 OF 5 CA A.RAFEQ, FCA

Boost BCM Program Maturity: Arm Your Team with the Right Tools. Jason Zimmerman Vice President Operations

Shell s Health, Safety and Environment (HSE) management system (see Figure 11-1) provides the framework for managing all aspects of the development.

Business Continuity Plan Toolkit

Hospital Emergency Operations Plan

Offsite Disaster Recovery Plan

South West Lincolnshire NHS Clinical Commissioning Group Business Continuity Policy

[INSERT NAME OF SCHOOL] BUSINESS CONTINUITY PLAN

Business Continuity Planning (800)

BUSINESS CONTINUITY PLAN OVERVIEW

Managing business risk

Building a strong business continuity plan

PSPSOHS606A Develop and implement crisis management processes

University of Victoria EMERGENCY RESPONSE PLAN

BUSINESS CONTINUITY POLICY

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist,

Business Resiliency Business Continuity Management - January 14, 2014

BUSINESS CONTINUITY PLANNING

Workforce Solutions Business Continuity Plan May 2014

Running head: COMPONENTS OF A DISASTER RECOVERY PLAN 1

DESIGNING A BUSINESS CONTINUITY TRAINING PROGRAM TO MAXIMIZE VALUE & MINIMIZE COST

FLA S FIRE SAFETY INITIATIVE

University of Prince Edward Island. Emergency Management Plan

HSMS. Group Health AND Safety Management System

Crisis Prevention and Response Services. NYA International. Crisis Prevention and Response Services. Crisis Prevention and Response Services

Regulatory Framework for Disaster Recovery Planning for the ICT Industry

Mastering Disaster A DATA CENTER CHECKLIST

How to write a DISASTER RECOVERY PLAN. To print to A4, print at 75%.

The handouts and presentations attached are copyright and trademark protected and provided for individual use only.

Kuala Lumpur, Malaysia, May Report

State of Washington. Guide to Developing Strategic Workforce Plans. Updated December 2008

How To Handle A Train Accident In Whitefish

NEEDS BASED PLANNING FOR IT DISASTER RECOVERY

Nonprofit risk management

Business Continuity Planning: Beyond Compliance

NHS Hardwick Clinical Commissioning Group. Business Continuity Policy

Mike Smart Cyber Strategist & Enterprise Security Solutions, EMEA. Cyber: The Catalyst to Transform the Security Program

39 GB Guidance for the Development of Business Continuity Plans

RLI PROFESSIONAL SERVICES GROUP PROFESSIONAL LEARNING EVENT PSGLE 125. When Disaster Strikes Are You Prepared?

UNION COLLEGE INCIDENT RESPONSE PLAN

B E F O R E T H E E M E R G E N C Y

Business Continuity Planning for Schools, Departments & Support Units

One major business challenge is maintaining and improving the efficiency and effectiveness of a company s information technology. Wouldn t it be nice

Expecting the unexpected. Business continuity in an uncertain world

Business Continuity Management Review

A Business Continuity Plan for Government. George Bomar Dianne Casey Texas Department of Licensing and Regulation

Crisis and Emergency Risk Communication

Institute for Business Continuity Training 1623 Military Road, # 377 Niagara Falls, NY

Security Risk Assessment Tool

Risk Management Strategy and Policy. The policy provides the framework for the management and control of risk within the GOC

Risk Options. Avoid Assume Mitigate Transfer Prevent?

Disaster Recovery Planning

FINRMFS9 Facilitate Business Continuity Planning and disaster recovery for a financial services organisation

CISM Certified Information Security Manager

Transcription:

Why Crisis Response and Business Continuity Plans Fail 10 Lessons Learned from Real-World Experience Many organizations invest considerable time, money and effort in developing Crisis Response and Business Continuity (CRBC) plans, only to have them fail at a critical time, usually during a disaster response. To learn about failed plans, I interviewed a number of risk and crisis managers as well as business continuity professionals. While not the result of scientifically based research, this anecdotal information provides valuable lessons learned from real-world experience. Lesson 1: CRBC leaders sometimes develop crisis response arrogance The CRBC role within an organization is very different from most operational positions. It is highly specialized and focuses, in large part, on how to protect and rescue employees in a disaster situation. To centralize this responsibility, some organizations will appoint only one person to develop and maintain the CRBC plan. This unique role and responsibility including reporting relationships with senior management and the specialized nature of the work itself can sometimes over-inflate an ego, creating a crisis snob who is overly confident about his or her ability and importance. If this

individual has the chance to effectively respond to a crisis, a danger of success scenario may ensue, further inflating his or her ego. Such an attitude typically alienates and annoys co-workers to the point that an effective disaster response may be sabotaged. To prevent this situation: Screen CRBC leadership candidates carefully for maturity and check references on past behavior. Consider appointing a CRBC team instead of an individual. Monitor group behavior and feedback during drills and exercises, and correct inappropriate behavior as soon as it occurs. Lesson 2: Attempting to create the perfect structure for responding to every contingency is futile Very detailed CRBC plans may not be applicable in an actual crisis where events are unpredictable. Some planners try to create a structure to address every possible risk. This usually takes the form of multiple templates for every plan component, including incident response and long-term recovery. Typically, these planners have some knowledge of plan development but often lack actual crisis response experience. The problem is that no two crises are alike. The unique circumstances of a given crisis will drive the specifics of the necessary response. As a result, having very detailed CRBC plans may look great in a binder or on a computer screen but these plans may not be applicable in an actual crisis where events are unpredictable. Planners need to take a lesson from the commercial aviation industry, which is more prepared to deal with a crisis than any other commercial sector. The state-of-the-art in airline crisis response is to have plans in checklist format with broad, open-ended directions that can apply to a plane crash, natural disaster, public health concern or technology interruption. Aviation industry planners realize that, since every crisis is different, the key to an effective response is recruiting the right employees to the crisis response team and training them to be flexible and prepared to deal with ambiguity. Lesson 3: Too often, plans are not built around the unique circumstances of the organization While writing this article, I Googled business continuity and stopped counting at 50 web pages of resources. Most offered some type of template, so for as little as $50 I could immediately receive a business continuity and disaster management plan for my organization. I merely had to fill in my company name. Why Crisis Response and Business Continuity Plans Fail 2

This certainly is an inexpensive and easy way to develop a business continuity plan, and it may be attractive to organizations that have compliance requirements and limited budgets. However, there is one significant problem: crisis response and business continuity planning is not a one size fits all process. The most effective plans are created around the unique circumstances and culture of an organization and take into account such things as company mission, products, locations, types of employees, leadership, ownership, regulatory requirements, etc. Customizing the plan to the specific organization also ensures greater employee ownership in a crisis situation. Lesson 4: CRBC plans often fail to address the safety of human capital Many CRBC plans focus almost exclusively on systems and operations. This may be a throwback to the early days of disaster recovery when the focus was entirely on information technology. But in disasters of the past dozen years, going back to the 9/11 attacks, greater appreciation has been given to viewing employees as a major organizational asset and workforce continuity as an important component of the CRBC plan. Supporting the resilience of employees has taken on major importance, and provisions for workforce continuity including Employee Assistance Programs, flexible scheduling and emergency leave, low interest home repair loans, etc. are becoming part of CRBC plans. In addition, organizations should consider proactive safety planning such as emergency action plans that include evacuation, shelter-in-place and lockdown annual training and drills. Lesson 5: CRBC plans rarely address both strategy and tactics I have reviewed CRBC plans that contain sound high-level strategic direction, and I have reviewed tactical plans that are action-oriented and that identify specific response and recovery steps. Only occasionally have I reviewed CRBC plans that include both strategy and tactics. An effective plan will incorporate both a topdown (strategic) and bottom-up (tactical) approach. An effective plan will incorporate both a top-down (strategic) and bottom-up (tactical) approach. The strategic plan will provide direction for senior management in making big picture decisions about how the crisis is managed. This will include determinations of resource allocation, staff deployment, public relations, etc. The tactical plan will identify specific steps for restoration and recovery of mission critical activities, mostly organized as departments and usually conducted by subject matter experts. Why Crisis Response and Business Continuity Plans Fail 3

If a crisis is regional, the usual first responders will be in great demand and spread very thin. Having a CRBC plan that has strategic as well as tactical guidance ensures everyone is moving in the same direction with clear expectations and effective communication. Lesson 6: There is a lack of necessary redundancy in many CRBC plans An effective CRBC strategy will have redundancy in three areas staffing, systems and operations. In an ideal plan, key staff will each have two trained back-up personnel. Systems will have back-up power (UPS and generator) and may have emergency remote hot sites that can be activated immediately upon the failure of the primary site. Operational redundancy will include alternate business locations or plans for employees working remotely. All redundancies should be tested at least annually. This approach represents an ideal starting place. However, given resource limitations, most organizations make adjustments based on their available finances. Lesson 7: Organizations must recognize that employees might be the first responders in a regional crisis Many people believe that when a crisis occurs they can dial 911 and help will quickly arrive. That may be true if the crisis is confined to one building. However, if the crisis is regional, such as a severe weather event or a terrorist act, the usual first responders police, fire and emergency medical personnel will be in great demand and spread very thin. As a result, employers need to build organic resilience, the ability to respond quickly with internal resources. This is accomplished by preparing employees to act as first responders for up to 24 hours following a community disaster. This practice can prevent further injury and property damage by actively controlling the situation until community responders arrive on scene. Lesson 8: Too often there is no clear ownership of plan maintenance, training and testing An organization can have the best CRBC plan in existence but unless someone (or a team) is assigned responsibility for maintaining it, the plan will quickly become irrelevant and obsolete. The tasks of annually reviewing and updating the plan, leading refresher training and conducting annual drills must be formally assigned and become part of the individual s or team members job responsibilities. This practice will ensure that the plan remains Why Crisis Response and Business Continuity Plans Fail 4

current, the workforce is trained in its execution, and that key employees participate in an exercise to test the plan s functionality. In addition, the responsible person(s) should schedule annual evacuation, shelter-in-place and lockdown exercises for all employees. This practice will help workers remember the steps to avoid injury during a critical event. Lesson 9: CRBC plans must coordinate with community police, fire and emergency medical agencies All organizations rely on community responders to assist in a crisis. Yet most never proactively involve these same agencies in plan development and testing. If a crisis occurs, this can result in significant challenges related to cooperation and coordination. An effective solution is to invite first responder agencies to: (1) review your plan and make recommendations, (2) have a presence in annual plan execution training, (3) participate in annual drills and exercises, and (4) retain copies of facility blueprints. This approach will result in productive working relationships during a real crisis and avoid a potentially chaotic scenario (such as meeting the police and/or fire chief for the first time while in the midst of mayhem and confusion). Lesson 10: After a large-scale crisis, recovery will lead to a new normal A major crisis will alter employees view of their environment, meaning that a new normal will emerge. People frequently talk about recovery and getting their organization back to normal. What they fail to realize is that a major crisis will alter employees view of their environment, meaning that a new normal will emerge. This new normal emerges from the shattered sense that one is safe and secure, combined with increased sensitivity to threats and risks, both real and imagined. The reality is that a major crisis will alter employees perceptions regarding the safety of the workplace, which may change their behavior. Managers must be aware of this probability and be trained and prepared to assist employees with this challenging transition. Conclusion Trial and error learning can be effective. However, it is far less traumatic to learn by the mistakes of others. By considering and acting on these realworld lessons learned, your organization may be more effective and efficient Why Crisis Response and Business Continuity Plans Fail 5

in creating and implementing a sound Crisis Response and Business Continuity plan. Black Swan Solutions assists organizations in preparing for, responding to and recovering from the human impact of crises. Our turnkey approach integrates the expertise of experienced, masters-prepared professionals with state of the art technology. We mitigate organizational risk by ensuring that people get timely and accurate information, as well as the human support they need during and after a crisis. In responding to crises ranging from data breaches to mass casualty events, our client organizations, among the most recognized brands in the world, rapidly communicate with stakeholders, demonstrate compassion for victims, and protect their reputation. For more information, visit www.blackswancrisissolutions.com. Why Crisis Response and Business Continuity Plans Fail 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information