How well are organisations geared to coping with catastrophes, crises and incidents? Do they make distinctions in the way they plan for them? Sue Copeman discusses the responses from StrategicRISK's Benchmarking Club
Most organisations surveyed said that they had a formal written plan for managing a crisis, with best practice seen as the single most important driver for crisis management. Additional drivers cited were regulation, customer pressure and gaining a competitive edge. Only four percent considered that crisis management was driven by the need to reduce insurance premiums. In the 'others' category, around 15% of respondents mentioned business continuity, survival, stakeholder interests and similar concerns.
While 68% of the businesses surveyed said that they tested their plans at least annually, 14% admitted that testing was less frequent - and an alarming 11% said that they never tested their crisis management plans. One respondent suggested the crisis response capability should be tested frequently in different parts of the organisation.
Almost half of those organisations that did test their plans used desk-top exercises. Role play was the chosen method for 35%, and 14% were prepared to test using a full immobilisation scenario. Other means of testing included simulations, field practices and 'board discussion'. One organisation admitted that its testing had never been completed and that in any case the plan was 'deemed by management as being unlikely to be used'.
Over a quarter of those conducting tests said that emergency services and consultants are active participants, and 19% involve key suppliers. Most of the plans include processes for preventing reputational damage, and there was no significant statistical difference here between industrial and non-industrial respondents.
We asked for brief descriptions of the processes used for preventing reputational damage. Not surprisingly, there was strong emphasis on good communications. Responses included the following:
- "The plan includes a communication strategy to reduce the consequences of the event. It includes disclosure, credibility building plan, media action points and resource allocation plan. The overall objective is to reduce reputation damage, to communicate the facts to all stake holders and to ensure that rumours do not circulate."
- "We are very mindful that several organisations have actually increased investment potential by successfully demonstrating crisis leadership in the abrupt audit of a real crisis".
- "Fully published crisis management and business continuity plans available for peer inspection with extreme firewalling to protect our clients from reputational and brand embarrassment."
- "A key part of this plan is a communication concept developed by our corporate communication department, addressing the expectations of shareholders, rating agencies, regulators, clients and brokers. In case of a real crisis the responsible teams are predetermined and the communication flow (from gathering internal information up to the release of 'crisis information' to third parties) is established in a way that assumes minimising the reputational risk."
- "Media training is constantly updated. Reputational risk scenarios are rehearsed. (There are) template press releases, dos and don'ts of what to say."
- "A clearly channelled, managed outbound and internal information flow, being fair and honest with media and stakeholders."
- "Ensuring all plans include prepared PR templates to ensure a head start for key statements and press response."
- "We work with our public information officer and outside crisis management consultants."
- "Scripts for emergency messages to customers, draft press releases."
- "Quick action and fact-based open communication."
- "Irrelevant" (a local authority respondent).
Of the nearly 50% of respondents who had had to use their crisis or catastrophe management plan in the last five years, an overwhelming majority (91%) felt that the situation had been handled very well or reasonably well.
<B>Spot the difference</B>
'Catastrophe risk management', 'incident response', 'business continuity' and 'crisis risk management' are common phrases, but do organisations make distinctions between them when carrying out their planning? Opinion was quite divided. Thirty one per cent saw no distinction, 40% saw subtle distinctions and a minority - 29% - saw very clear distinctions.
We asked those who did see distinctions to explain what the key ones are. Here are some of the responses:
n "It is mainly about required response time and escalation levels. Incidents are managed at the facility level; crisis is managed at the country, regional and global level. There are clear links but distinct differences in responses."
- "Catastrophe risk management = managing the risk of a catastrophe = reducing the risk to one of potential crisis = crisis management. Incident response is complete nonsense, despite BS25999. It's very clearly crisis management, which is a more accurate description. Business continuity is about continuing primary business tasks and should not be confused with crisis management."
- "Business continuity management is more or less the same as catastrophe risk management (unlikely, with major impact). After a major incident, crisis management comes into action. Crisis management handles the crisis and initiates incident response plans."
- "Business continuity is seen as the strategic risk management and day to day actions taken to ensure business success. Disaster recovery is our response to a problem."
- "Business continuity is the blanket covering all other aspects of management following a catastrophe or crisis, but specifically the planning before such an incident takes place. Incident response is pure reactive response."
- "Catastrophe is a situation where the business may go under. Crisis is a matter of lesser degree, which happens on a regular basis."
- "Catastrophe stipulates a strong likelihood that the business will never be the same again, whatever we do. Business continuity is a long term process rather than reaction to events."
- "Crisis management involves the development of a capacity to respond to unimagined and exceptional circumstances. Emergency response planning involves the development of detailed response plans triggered by a number of imaginable, perhaps predictable, defined emergency situations."
n "We follow the standard and call these events 'incidents' rather than use a term such as crisis or catastrophe which invoke a more emotional response. Then, depending on the incident, we invoke the incident management plan, the business continuity plan or the business recovery plan."
<B>Sponsors Column</B>
The fact that almost 50% of respondents to this survey have had to initiate a catastrophe/crisis plan in the last five years is sufficient proof of the need for such a plan. However, interestingly, less than 20% of respondents actually utilise key suppliers during the planning and testing of these plans.
The first hours and days following a CAT/crisis are critical for making the overall response a success and protecting the company's brand, reputation and finances. For example, not all crises will require a claims response but a large proportion will. Having your claims provider involved on the planning and testing will ensure that:
- they completely understand your corporate philosophy and objectives
- they are able to deploy resources more quickly
- the support facilities such as freephone numbers, call centres, IT/systems etc are available immediately
For more information on Crawford CAT/crisis management services please contact Paul Bermingham on 020 7220 1562.
<B>Bs 25999</B>
British Standard 25999, Business Continuity Management, Part 1: Code of Practice was published in November 2006, replacing Publicly Available Specification (PAS) 56 "Guide to Business Continuity Management".
Part 2 is due to be published in 2007 and will provide a specification against which business continuity management processes can be measured. Accreditation procedures using Part 2, due to be available late in 2007, will allow organisations to achieve and demonstrate formal compliance with BS 25999 (as many have already done in other areas such as ISO 14001).
However, most of the organisations surveyed (63%) appeared to be in no rush to gain accreditation and were not planning to do this within the next year. A similar proportion did not plan to make accreditation a requirement for their suppliers.