How to Measure and Assess a Crisis Plan
As we enter the last quarter of 2018, let’s reflect on the year in crisis and risk. To name a few incidents, we’ve witnessed:
- Episodes of workplace and school violence that ignited global media attention
- Phishing Scams
- Senior executives fired from notable companies
- A false alarm missile threat in Hawaii
Although not as widely publicized by the media, we have seen crises averted this year:
- Thwarted school shooting in Illinois
- A Michigan hospital limits visitation hours during flu season
- Schools and Businesses identify behaviors of concern before tragedy
Following crises, a responsible leader will convene a meeting with the organization’s crisis management team to review and measure the crisis plan to identify weaknesses and vulnerabilities. According to our 7th Edition Crisis Event Impact Management Report, 28.8 percent of organizations have updated their crisis plans in the last 12 months. When was the last time your crisis plan was reviewed, edited, and updated?
Firestorm advises every leader to annually meet with their team and ask the following questions:
- Is there is a clear and defined risk-management process?
- Are risks correctly evaluated?
- Is key risk evaluation and reporting defined?
- Is there a key risk review control process?
- Are internal controls operating effectively?
- Does oversight of monitoring risks align with best practices?
Your crisis management team should also ask:
- “Are those within our facilities safe?”
- “How are we sure?”
- “How do we know that we are sure?”
- “How do we measure?”
The objective for any continuity program is to ensure a safe environment for those within the facility and to continue to provide services to stakeholders – even when threatened by natural or man-made crisis situations. There are many moving pieces that must work together, however, to ensure success under stressful circumstances. Ultimately, executives and leadership want to know, “Can my organization survive a major disruption without harming my brand’s reputation and community?” and leadership must have the ability to categorically respond to clients, stockholders and regulators, “Yes, we can.”
Without the proper measurements and plan, an organization cannot identify threats.
What Should You Measure?
Creating a strong plan requires mission-critical facts. The challenge is creating a comprehensive, meaningful picture across multiple initiatives. Quantifiable data points may include number of plans and tests completed, plans reviewed and maintained, and personnel participating in training and tests. These are all excellent examples of ways to show progress toward crisis readiness.
Additionally, qualitative measurements must be included to help show progress when plans are tested. The completeness, availability and readiness of policy, context framework, teams and operational protocols add rich detail and meaning to the plan. Furthermore, regular benchmarking review against industry regulations, standards and best practices illuminate gaps and weaknesses that require attention before they catch an organization off guard.
Based on organizational goals and program development stage, ask:
- How is preparedness demonstrated?
- Are there clear roles and responsibilities?
- Is the organization aligned to best practices? Are you sure?
- Does your plan cover both ‘What to do’ and ‘How to do it?’
- Is the newest hire able to assume control of a crisis?
First, establish the context of your continuity program by understanding the end goal. Build a framework and outline it in a policy with clear roles and responsibilities. Then, build a map that guides your program along a clear route. Enlist expert resources that resonate with your industry, geography and organization’s culture. Lastly, ensure you are measuring progress against eliminating the five common failures in a crisis:
- Control critical supply chains.
- Train employees for work and home.
- Identify and monitor all threats and risks.
- Conduct exercises and update plans.
- Develop a crisis communications plan.
Measuring goes beyond writing a crisis plan and identifying threats. A robust plan incorporates actions and practice. Establish a team of at least three staff members to read your plan, conduct interviews and perform site inspections to determine:
- Is the plan reviewed and updated annually?
- How did you identify the risks?
- Have you conducted a security assessment?
- How do you monitor for each threat or risk?
- How do people within your organization know about the plan?
- Have you reached out both physically and virtually (via social media) and connected with local law enforcement, law and city officials? Connecting with officials can assist in crisis messaging when an event occurs.
- Is every component tested at least annually?
- Does every activation or exercise have a Hot Wash afterwards?
This year we have seen crises unfold in every way from workplace violence to cybersecurity to natural disasters. In response to these events, plans should be reviewed and tested to identify weak points and gaps. Following every test of a crisis plan, the team involved must convene and evaluate how the plan worked. Identifying strengths and weaknesses after testing is critical.
It’s not too late to test and improve plans. Learn from the first nine months of 2018 to improve your organization’s resilience for the remainder of the year.
Not sure where to start? Firestorm Professional Services, led by our Chief Administrative Officer, Wendy Ruffcorn, works with clients to utilize the best analytics available and align programs with resources, insurance, external support and best practices before the next crisis. Our team is here to help you with enterprise risk management, crisis management, business continuity and incident management.