via TechTarget: A crisis management plan (CMP) is a document that outlines the processes an organization will use to respond to a critical situation that would negatively affect its profitability, reputation or ability to operate. CMPs are used by business continuity teams, emergency management teams, crisis management teams and damage assessment teams to avoid or minimize damage, and to provide direction on staffing, resources and communications.
Public relations are often an integral aspect of the crisis management process. An organization may choose to enlist outside public relations help to handle communications aspects, such as dealing with the media. With a public crisis response, an organization can counter any misleading and false information and seek to ease concerns. If an organization resolves a crisis situation quickly enough, bringing the event to the attention of the public may not be necessary and could even bring unwanted attention.
In an age of increased cybersecurity attacks, organizations should have a “when, not if” mentality regarding crisis management planning and should form a plan as if an incident will happen. It’s important to be proactive, rather than reactive.
Defining a crisis/types of crises
A crisis — which can last from a few hours to several days or longer — requires decisions to be made quickly to limit damage to an organization, its stakeholders and the public. By providing a well-documented set of responses to potential critical situations, a CMP allows an affected organization to act quickly should a serious incident occur.
Potential crises, according to Ready.gov, an official website of the U.S. Department of Homeland Security, include:
- Natural disasters such as hurricanes, earthquakes, tsunamis and volcanos;
- Other severe weather events such as flooding, blizzards and droughts;
- Biological hazards such as foodborne illnesses and pandemics;
- Accidental human-caused events such as fires, explosions, building or structure collapses, and hazardous material spills;
- Intentional human-caused events such as robberies, violence and fires; and
- Technology issues such as outages and cyberattacks.
What you need to include in your crisis management plan
Crisis management planning spans preparation, development of processes, and testing and training.
An effective CMP should tackle the following initiatives:
- Identify crisis management team members.
- Document what criteria will be used to determine if a crisis has occurred.
- Establish monitoring systems and practices to detect early warning signals of any potential crisis situation.
- Specify who will be the spokesperson in the event of a crisis.
- Provide a list of key emergency contacts.
- Document who will need to be notified in the event of a crisis and how that notification will be made.
- Identify a process to assess the incident, its potential severity and how it will impact the building and employees.
- Identify procedures to respond to the crisis and emergency assembly points where employees can go.
- Develop a strategy for social media posting and response.
- Provide a process for testing the effectiveness of the crisis management plan and updating it on a regular basis.
A typical crisis management plan has several sections. According to business continuity and disaster recovery expert Paul Kirvan, a CMP should include:
- An outline of the purpose, scope and goals of the plan.
- An evacuation plan.
- A crisis response strategy that develops a framework to manage the crisis.
- Contact lists, including staff, vendors and law enforcement.
- Media management.
- Crisis procedures that define specific responses to a variety of incidents.
- Integration with other emergency plans.
The importance of a crisis communication strategy
Communication is key to getting through a crisis because it keeps all the necessary players, ranging from a single office to a global reply, informed. As the crisis develops and evolves, the organization should update its communications.
During a crisis situation, employees look to management for leadership and guidance. Without the proper communication, people may speak or act erroneously. Lack of communication could also cause a safety issue.
An organization should designate a crisis communications team. All communications should be clear, concise and truthful. For the sake of speed, an organization could proactively draw up a template with potential scenarios, designate the appropriate channels for communication and then plug in the necessary information if the actual incident occurs.
Methods of communication include:
- A call tree, in which a team member calls a designated fellow employee or employees to communicate the message.
- Automated notification, such as a recorded voice message broadcast to employees.
- Social media, such as Twitter and Facebook.
It’s crucial to regularly test the crisis communication plan to ensure it will hold up in the event of an actual incident. For example, an organization could run through its call tree. Or management could send out an automated messaging test.
Crisis response communications may have to be sent to various people. According to Ready.gov, potential audiences include customers, survivors impacted by the incident and their families, employees and their families, media, the community, company management and investors, elected officials and other authorities, and suppliers. Contact lists for all these audiences should be updated regularly. During an incident, the message should remain consistent across the different audiences.
Testing and updating your plan
Once completed, the crisis management plan needs to remain a living document. That means distributing it to employees, implementing training and testing, and updating the CMP on a regular basis.
Training sessions should be held so everyone involved knows their role. Testing ranges from tabletop exercises to full simulations.
After a test, it’s important to review the results, discuss what worked and what didn’t work, and make the necessary changes to the plan.
Standards are good tools for an organization to improve its crisis management planning. They help organizations manage disruptions to business and enable resiliency.
The British Standards Institution (BSI) provides the crisis management standard, BS 11200:2014. The standard “offers guidance to help management plan, establish, operate, maintain and improve their organization’s crisis management capability,” and is relevant to any size or type of organization, according to the BSI. The standard includes sections on crisis management core concepts and principles, crisis leadership, crisis decision-making and crisis communications.
In addition, the International Organization for Standardization (ISO) offers several standards for emergency management in its ISO 223XX series, including ISO 22320:2011, “Societal security — Emergency management — Requirements for incident response.”
Emergency response planning
An emergency response plan details the actions an organization must take immediately following an incident and includes potential interactions with outside help, including public safety responders. Every second counts during an emergency, so it’s important for disaster management to have a well-defined emergency response plan.
As part of emergency preparedness, an organization conducts a risk assessment to determine potential threats. The organization then develops the emergency response plan to protect its employees and other affected parties in the event of an incident. Safety and stabilization are keys in an emergency.
Ready.gov suggests 10 steps for developing an emergency response plan:
- Review performance objectives for the program.
- Review threat scenarios identified during the risk assessment.
- Assess the availability and capabilities of resources — including people and equipment — for incident stabilization.
- Talk with public safety services to determine their response time, knowledge of the organization’s facility and its hazards, and capabilities to stabilize an emergency.
- Determine if there are any emergency planning regulations at the facility and address them.
- Develop protective actions for life safety, such as evacuation, shelter, shelter-in-place and lockdown.
- Create hazard- and threat-specific emergency procedures.
- Coordinate emergency planning with public safety services.
- Train personnel.
- Test the plan.
Once the emergency response is over, the organization moves onto disaster recovery to restore operations as comprehensively as possible.
Depending upon the industry, a crisis management plan may also be known as a business continuity action plan, disaster recovery plan, contingency plan or scenario plan.