Business Continuity Management (7): Crisis Management Planning and Training

1. Looks at your organisation in a way that makes the recovery requirements and priorities clear through a business impact analysis (BIA).
2. Assesses the threats to the organisation that need protecting against (incidents that are serious enough to completely stop your organisation from functioning, usually referred to as Business Continuity Incidents) and refines them into a set of common response triggers.
3. Provides a structured approach to developing an appropriate business continuity strategy and preparing and testing business continuity plans (BCP’s) that will help the organisation to respond to a Business Continuity Incident.

Embedding BCM in the Organisation's Culture
(click to see enlarged view).

Crisis Management has usually been defined as the role that senior management have during a Business Continuity Incident.  It includes the high level command and control aspects of:

• Identifying a crisis situation
• Deciding how and when to respond
• Communicating both internally and externally
• Leading and directing the recovery process

Crisis Management is usually carried out by a Crisis Management Team (CMT).

The new standard BC25999 has redefined these terms somewhat introducing an ‘Incident Management Plan’ (IMP) which covers the acute stage of an ‘incident’.  In theory an incident could potentially be contained and thus never become a crisis so that an IMP has a slightly wider scope than traditional CMT plans. However the main contents and purpose of the IMP corresponds to the above list.

Obviously the size of an organisation makes a big difference to both the role and the composition of a CMT. The larger the organisation the more specialists can be brought to bear and the whole recovery becomes a contained project run by the impacted parts of the management structure.  For smaller organisations, a business continuity event is a business survival issue and the recovery is managed directly from the top, everyone is involved, fighting for their jobs.

Thus the answer to the question of the ideal structure and size of a CMT depends very much on the culture, type, size and configuration of an organisation.  There are many views on the ideal size of the team. It partly depends on the culture of the organisation, the more hierarchical it is, probably the less members are needed. Very hierarchical organisations are usually used to all key decisions being made by those at the top and then cascaded down. Flatter management style organisations are used to more participation in key decisions and more localised decision making. Other factors that affect the ideal CMT structure for a particular organisation include:

• Management style on the consensus to autocratic management spectrum and/or the paternalistic to entrepreneur spectrum.
• The range of strategies open to the organisation during a recovery. i.e. how much decision making actually needs to be made.
• The relationship between the business as usual organisation structure and the key processes that need urgently recovering.  If all the critical processes report into one person then that person is likely to be dictating the recovery.

The same wide variety applies to the CMT plan. Some organisations document detailed steps for their CMT’s to follow through a crisis, others only draw up vague guidelines to go with the overall policy and strategy and rely on the experience of their senior people to do the right thing at the right time. BS25999 suggests the following should be included in all plans at least at some level of detail:

• Roles and responsibilities
• Plan Invocation
• Task and action lists
• Emergency contacts
• People activities (site evacuation and muster site mobilisation, accounting for staff, safety issues, staff communications)
• Media response
• Stakeholder management
• Incident management location
• Any other useful information

The best way for a CMT to prepare itself for a crisis is to practice, usually through a simulation exercise of a particular scenario. In these types of exercise, a mock crisis is outlined to the CMT who then have to work through the steps and face the consequences of their decisions. Typically the crisis will be something pertinent to the organisation and be the type of crisis that can be escalated gradually, giving the CMT members time to think through the timing of invoking plans and the risk/cost calculations they would face in a real crisis.

These exercises should test the performance of the CMT as a team.  The interactions between the members are critical to its success, if the team splits into two or more factions that are working against each other then the team composition needs to be changed. This can be a difficult situation for the BCM Coordinator who is likely to be junior to most of the CMT but if the issue is not resolved then the likelihood is that any crisis that the organisation faces will destroy it unnecessarily.  For this reason, facilitation of these types of exercises is often given to external third party specialists.

CMT exercises should be carried out at least once a year to keep the lessons learnt current. Often organisations vary the composition of the team, bringing in deputies to widen the pool of potential members, get more views on how to handle situations and prepare for a crisis when not all the key players will be available for help.

Being part of a CMT is never going to be a full time role and will always be a small part of senior managers’ jobs. Motivating them to take it seriously shouldn’t be required but in the real world they will have always other priorities.  It is critical for the BCM coordinator to gain and retain the support of the CEO in order to make the CMT exercises happen.  If the CEO doesn’t think he or she has a role on the CMT, talk leadership with them.  Even in large global organisations where a crisis in a division in a particular building in a particular city in a particular country has little impact to the organisation overall, the news of the crisis needs to be quickly escalated up to the top and support from the leadership for the impacted staff needs to be cascaded down just as quickly.

This article completes the cycle of our thoughts on Business Continuity Management and its many component aspects. BCM has evolved a long way in the last ten years but that evolution has not yet stopped. The introduction of the new standard BS25999 is the latest step to raise the standard bar.  Expectations of BCM capabilities from the owners of businesses, auditors, regulators and other stakeholders are rising year by year.  The large global organisations are slowly developing into distributed structures that support the concept of the fault tolerant enterprise, where no single point of failure exists and fallback redundancy is built into everything.

BCM is finally becoming a recognised profession in its own right!

The series of Business Continuity articles were originally published on Complinet in the period late 2007 to early 2008.