The persistent threats of terrorist activities, coupled with even more frequently occurring natural disasters, serve as ongoing reminders of the importance of effective crisis management and business continuity planning. A crisis can have a significant effect on an organization's reputation, financial stability, health and the well-being of its employees and consumers, the community and the environment. Crisis management has become an increasingly important aspect of modern business management. It is a strategy that links the functions of risk management, business continuity, security, emergency response and recovery.
Organizations are no longer able to effectively protect themselves or respond to an incident with an individualistic approach. As such, it is essential to form a community line of attack when developing a crisis management/business-continuity game plan.
Initially, organizations must identify the most critical members of its community. This could include partners, competitors and customers, as well as federal, state and local entities. Currently, information sharing and analysis centers (ISACs) are the only formalized community forums for sharing information. These organizations primarily comprise industry or sector-specific members and are often unable to provide members with timely information. As such, there is really no single clearing-house for organizations to access accurate, time-critical emergency information.
As a result, the sharing of emergency coordination and response information with necessary public-private sector organizations is an informal process, largely based on personal relationships. For example, a financial services company may receive crisis background updates because a senior executive has a contact at the FBI, while a city's largest insurance company may receive slightly different information regarding the same event from the local police.
Formalizing the processes
Gathering emergency planning information based on an informal process and personal relationships can significantly restrict a company's ability to gather critical information quickly. Without complete information, these organizations are significantly hampered in their abilities to plan effectively or accurately. Rather, they are forced to make emergency planning decisions based on standard best practices. Without visibility into a specific threat or emergency, organizations cannot modify their planning to address the characteristics of the threat.
For instance, the local manufacturer that closes its facility and evacuates its employees should be able to quickly learn from local authorities if roads or highways have been closed, causing traffic to be rerouted. Not obtaining this information could subsequently lead to traffic congestion, unintentionally exacerbating emergency response efforts.
Developing an efficient mode of communication, allowing for collaboration and coordination to respond to crisis situations swiftly, is necessary to alleviate these situations. As part of this approach, the ability to provide and receive relevant information at a single location, or in one common format, will provide for increased and more reliable shared information. Ultimately, this will result in more accurate decision-making capabilities for crisis managers.
Another practice that is not commonplace today is the sharing of confidential company information. To prevent attacks or be more resilient when they occur, organizations must communicate private information securely to community members.
Frequently, we are accustomed to trading our privacy for security. For example, we are willing to undergo a variety of private searches in exchange for improved airport security. Similarly, we should allow for the flow of private information among community members to increase security and response capabilities. To increase crisis planning and response effectiveness, organizations must also formalize an operational model to share this information and coordinate with the public sector.
The informal sharing of crisis information is pervasive across all industries. As part of our 'tabletop' emergency preparedness exercises, we run through crisis scenarios and work with public and private sector attendees to hone and formalize emergency response plans. During our sessions, we also ask attendees how they would address a specific event, such as an escalation in the Homeland Security Advisory System. Typically, all of the attendees contact a public-sector agency or coordinate with neighboring businesses or industry partners.
The increased threat of terrorist attacks and natural disasters dictates that emergency management and business continuity planning must become an integrated focus for all business and government initiatives. Communities must work closely to develop formalized public/private practices and operational models to manage new crisis and business continuity requirements. n
Richard Andrews is principal consultant on emergency management for the National Center for Crisis and Continuity Coordination (NC4).