A core responsibility of any risk professional is planning for any possible disasters your business might face. These could be man-made, such as a data breach or accidents involving machinery, or natural, like a tornado or flood.
Disasters and crises affect different organizations in different ways—one company might consider something a catastrophe, while another may not even notice a change in its workflow. It is important to look at your own business operations and evaluate what you would consider a crisis. Generally, business crises fall into one of three categories:
- A danger to the physical safety of employees or customers
- Loss of income or means of making income
- Events or people negatively affecting your business reputation
In many cases, the crisis may fall into more than one of these categories. An accident in the workplace that is hazardous to employees can impact the company’s income because the factory has to shut down. This can also negatively affect the company’s reputation if it turns out that the company did not provide a safe working environment.
With even the best risk management programs, no organization can avoid all disasters completely. Risk mitigation often comes down to crafting the best plans possible for the moment disaster inevitably strikes. These eight steps can help risk professionals develop strong crisis and disaster response plans:
1. Define The Types of Crises You Could Face: There is not a one-size-fits-all approach to a crisis management plan. Working out what is likely to affect your business specifically can relate to your geography—areas that get hit by severe storms or earthquakes must include those potential disasters, and what knock-on effects they may cause. For example, storms may cause flooding, loss of power, or blocked roads that make it difficult to reach your premises. The type of crisis can also be specific to your industry. Employees in a manufacturing facility are likely at greater risk in a physical disaster than those working in a tax consultancy, for example. Security should also be a consideration. Is your business likely to get robbed of cash or equipment? Do you have high-profile proprietary information that makes you more likely to be the victims of cybercrime?
2. Triggering the Plan: Including levels of urgency in your plan will help people responding to the crisis pinpoint how significant the event is, and how much of the plan must be put into action. A step-by-step approach for specific scenarios can be helpful and cover dealing with man-made and natural disasters in different ways. The risk for each will be unique to the situation and knowing when and how to trigger a response is key. The plan should include how and when to escalate the response should the crisis worsen, as well as how to identify when the crisis has passed. It can be helpful to use red, yellow and green system to indicate severity and urgency, and this classification approach is easy to adapt to any scenario.
3. The Base of Operations Location: Accidents or natural disasters may cause your usual place of business to close temporarily or permanently. In your plan, designate a backup command center in an alternate location for dealing with the crisis until you can get back to work. This location can be your company’s operations hub, a point for gathering after a crisis, or where you know your sensitive and important data backs up. If a natural disaster has made travel dangerous or roads impossible to navigate, you will also need a virtual base of operations—some possibilities include message boards, chat apps or email. With so many employees working remotely because of COVID-19, this may be easier to implement now.
4. The Chain of Command: Ensuring a clear chain of command so that there is no arguing or confusion when people and the business are at risk. Wherever possible, appoint a back-up for each person in charge so if someone cannot perform their duty, it falls to the next in line.
5. Internal and External Communication: When a crisis compromises an office or business, communication can become tricky. Have a clear set of rules for how you get information to and from your employees, what information you must and must not share with those outside of the company, and how to achieve that. This part of your crisis management plan can save lives and stop rumors from spreading.
6. Necessary Resources: Though this will depend on the nature of the business, consider first aid and safety equipment if you are likely to have injuries or get cut off because of poor weather. Also, think about alternate communication methods if mobile phone towers go down or the electricity gets cut, as well as access to your sensitive data, such as employee contracts and supplier agreements.Include all necessary resources you would need to operate and highlight any alternate replacements. For example, if a storm knocks out your power, you may have a generator.
7. Training: It is no good putting a crisis management plan together and not giving the relevant people the training they need to execute it. For example, the people you name as first aid providers or unit leaders need to know what is expected of them and undergo the necessary training. If you have safety equipment on your premises, like fire extinguishers or emergency release valves for machinery, you need to educate all stakeholders how these work.
8. Testing the Plan: Finally, test that your plan actually works. Review it with staff and conduct safety drills regularly—every two months at least. Look for any weak points or flaws in the plan before an actual crisis.While it may not be possible to anticipate everything a disaster brings, you can set up several response plans and test each one individually. These plans can tie in with your standard safety drills, or stand alone, depending on the nature of the event anticipated.
A crisis management plan is integral to every business, no matter its size, scope, or sector. By preparing for various potential disasters, you can take action when needed without putting your organization, employees, or yourself at unnecessary risk.