How Much Crisis Planning is Enough?
One of the most important management competencies is planning. Crisis planning is the preparation of documented action steps designed to improve the organization's response toward mitigating a disruption's impact on assets and resources. Long ago, I was given some sage advice prior to briefing proposed Crisis Planning improvements to the executive team. My boss said, Remember Mike, whatever you're talking about, you're talking about money. This truism is an unrelenting one. In tandem with day-to-day operational constraints and limitations, the threat of an event evolving into a crisis consistently challenges an organization's management team to walk a tightrope between adequate mitigation efforts and fiscal need. In balancing these competing interests, How much crisis planning is enough? is often a question posed. Crisis planning is essential to monitor for, react to, and recover from organizational disruptions. There are three (3) key aspects which provide indicators as to where your program resides:
- Developing and Monitoring the organization's Risk Profile.
- Defining and Communicating the organization's Risk Appetite.
- Ensuring Crisis Planning is Established, Implemented, and Effective.
Developing and Monitoring the Risk Profile
Crisis is a disruption of normal operations which exceeds emergency response, or a condition where the entity has no preplanned mitigation to contain or control the disruption. Maintaining a state of normalcy, for any organization, is directly dependent upon the risks to their assets and processes. The key to reducing the frequency and severity of a crisis is to fully understand the organization's Risk Profile. The organization's Risk Profile is derived from a methodology which determines how risk varies across comparable assets and processes (Figure 1). When developing the Risk Profile, management assesses the:
- Origins of Risk
- Assets or Processes at Risk
- Vulnerabilities and the Effectiveness of Current Controls
- Probability of Occurrence and the Potential Impact/ Consequences
- Scores and Prioritizes Risk (this aids in the Distribution of Resources)
Figure 1. Risk Profile Methodology
After assessing these factors, management should determine if the residual risk is at an acceptable level. If unacceptable, the decision-maker has several options: apply additional controls, share the risk, separate the asset or process from the stressor, or accept the increased risk to the organization's Risk Profile.
Planning is not a static concept. The effectiveness of risk controls can change rapidly. Once the Risk Profile has been developed, management must sustain an ongoing ability to detect, assess, and respond to environmental changes. Ensuring the diligent monitoring of climate and culture reduces the opportunity for incidents and emergencies to metastasize into crises. Internally, the organization should establish key performance indicators (KPIs) in monitoring operations, training, and exercises. KPIs enable fact-based decision-making to determine where the organization's crisis planning should reside in the risk continuum. While How much crisis planning is enough? is subjective, these performance metrics can provide leadership with critical data points to adjust the level of crisis planning to the current Risk Profile.
Defining and Communicating the Risk Appetite
How much a risk decision-maker decides to assume has a direct relationship with How much crisis planning is enough?. At all levels of the organization, too many decisions are made with an incomplete understanding of the Risk Profile and the requisite capacity needed to effectively manage the risk. To offset this, it is paramount that executive management defines the organization's Risk Appetite. In this formal communication, executive leadership establishes the risks it considers most significant to strategic goals, objectives, stakeholder positions, and risk experience. This document should set the organization's risk culture, tolerance levels, and approach toward managing risk. All strategic and operational plans and programs should be consistent with this crucial communication.
While there are several ways to manage the organization's Risk Appetite, the program suite depicted below (Figure 2) provides the foundational elements. This centralized programmatic approach of related plans provides a means to proactively reduce (outlined in gold) and reactively manage (outlined in red) organizational disruptions. This model requires executive sponsorship, managerial infrastructure, and a requisite level of planning. Executive sponsors provide goals and objectives, while plan managers create structure, provide guidance, and establish priorities. Based on the organization's current Risk Profile and established Risk Appetite; managers determine the plans approach, assign roles and responsibilities, manage resources, oversee change management, and report the results to the executive sponsor.
Figure 2. Program Suite
As shortfalls in the capabilities and effectiveness of risk management, emergency response, and continuity planning can lead to the organization declaring a crisis; management should implement an audit and oversight function to preempt opportunities for a self-induced crisis. Considerations which facilitate the response to How much crisis planning is enough? include:
- How strong is the organization's commitment to Risk Management Competencies?
- How effective is the organization's Risk Management Plan?
- What metrics are used to evaluate the effectiveness of Emergency Response?
- What is the level of commitment toward Continuity Planning?
- How frequently are plans trained, tested, and exercised?
There is no suitable substitute for undertaking the effort to establish the organization's Risk Profile and Risk Appetite. Without ensuring the underlying factors of risk (potential disruptions, consequences, and vulnerabilities) align with the organizations selected level of Risk Appetite; the efficacy of the applied mitigation measures will be largely indeterminate. Although crisis decisions will always contain a degree of uncertainty, those decisions should always be based on sound analysis. Otherwise, How much crisis planning is enough? becomes moot.
Ensuring Crisis Planning is Established, Implemented, and Effective
The capability to respond to a crisis in a rapid and effective manner is essential. At each decisive moment, everyone involved throughout the organization should know the plan and manage it as designed. As trust and confidence are traits unwilling to lend themselves to surge efforts or compressed timelines, crisis planning warrants a strong focus on human dynamics.
Ensuring crisis planning is established, implemented, and effective provides the means to proactively determine the shortfalls in the organization's capacity to cope or adapt to disruption. This final aspect reveals any major oversight and provides potential improvement opportunities. The product produced by the criteria below (Figure 3) represents the composite picture for organizational leadership to determine, with confidence, How much crisis planning is enough?.
Figure 3. Crisis Planning Evaluation Criteria
When an organization:
- Monitors its Risk Profile
- Establishes its Risk Appetite Statement
- Commits to the pursuit, development, and application of Risk Management Competencies
- Trains, tests, exercises, and audits the capabilities and effectiveness of risk reduction efforts
Its crisis planning has a high probability to contain and control the impacts of disruption and return the organization to a state of normalcy. In that moment, the question How much crisis planning is enough? will be answered.
For more practical insight into how to create a more resilient organization, download our white paper, Business Continuity Management Program Best Practices.