3 Key Measurements in Evaluating Management of Risks
As we close the year, we should all review our responsibility to ensure the safety of those within the walls of our organizations. Can we safeguard the well-being of everyone within a facility? How do we know?
Sit down with your team and ask the following questions:
- Is there is a clear and defined risk-management process?
- Are risks are correctly evaluated?
- Key risk evaluation and reporting is defined?
- Is there a key risk review control process?
- Are internal controls operating effectively?
- Does oversight of monitoring risks align with best practices?
To prepare for 2018, your crisis management team should also ask:
- “Are those within our facilities safe?”
- “How are we sure?”
- “How do we know that we are sure?”
- “How do we measure?”
The objective for any continuity program is to ensure a safe environment for those within our facilities and to continue to provide services to stakeholders – even when threatened by natural or man-made crisis situations. There are many moving pieces that must work together, however, to ensure success under stressful circumstances. Ultimately, executives and leadership want to know, “Can my organization survive a major disruption without harming my brand’s reputation and community?” and leadership must have the ability to categorically respond to clients, stockholders and regulators, “Yes, we can.”
Without the proper measurements and plan, an organization cannot identify threats.
What Should You Measure?
Creating a strong plan requires mission-critical facts. The challenge is creating a comprehensive, meaningful picture across multiple initiatives. Quantifiable data points may include number of plans and tests completed, plans reviewed and maintained, and personnel participating in training and tests. These are all excellent examples of ways to show progress toward crisis readiness.
Additionally, qualitative measurements must be included to help show progress when plans are tested. The completeness, availability and readiness of policy, context framework, teams and operational protocols add rich detail and meaning to the plan. Furthermore, regular benchmarking review against industry regulations, standards and best practices illuminate gaps and weaknesses that require attention before they catch an organization off guard.
Based on organizational goals and program development stage, ask:
- How is preparedness demonstrated?
- Are there clear roles and responsibilities?
- Is the organization aligned to best practices? Are you sure?
- Does your plan cover both ‘What to do’ and ‘How to do it?’
- Is the newest hire able to assume control of a crisis?
How Should You Measure?
First, establish the context of your continuity program by understanding the end goal. Build a framework and outline it in a policy with clear roles and responsibilities. Then, build a map that guides your program along a clear route. Enlist expert resources that resonate with your industry, geography and organization’s culture. Lastly, ensure you are measuring progress against eliminating the five common failures in a crisis:
- Control critical supply chains.
- Train employees for work and home.
- Identify and monitor all threats and risks.
- Conduct exercises and update plans.
- Develop a crisis communications plan.
Measuring goes beyond writing a crisis plan and identifying threats. A robust plan incorporates actions and practice. Establish a team of at least three staff members to read your plan, conduct interviews and perform site inspections to determine:
- Is the plan reviewed and updated annually?
- How did you identify the risks?
- Have you conducted a security assessment?
- How do you monitor for each threat or risk?
- How do people within your organization know about the plan?
- Have you reached out both physically and virtually (via social media) and connected with local law enforcement, law and city officials? Connecting with officials can assist in crisis messaging when an event occurs.
- Is every component tested at least annually?
- Does every activation or exercise have a Hot Wash afterwards?
In the last 365 days, we have seen crises unfold in every way from workplace violence to cybersecurity to natural disasters. In response to these events, plans should be reviewed and tested to identify weak points and gaps. Following every test of a crisis plan, the team involved must convene and evaluate how the plan worked. Identifying strengths and weaknesses after testing is critical.
It’s not too late to test and improve plans. Learn from 2017 to improve your organization’s resilience for 2018.