Business Continuity and Crisis Management

Posted on March 15, 2011 by

A scan of any news source today provides many examples of crises that can affect an organization.  Some widely publicized business crises of the last decade include the Enron probe, the Massey Energy mine collapse in West Virginia, as well as the recent Chilean mine collapse, and the BP Gulf oil spill.  Some groups may define a crisis as a significant business disruption that results in a large amount of media coverage and public scrutiny.  In fact, most crises do not capture the media’s attention, while still having the potential to significantly impact operations of an organization.  Environmental damage, class action suits, sexual harassment claims, white collar crime, and accidents that create casualties are just some examples of events that cause major disorder, disruption and threats to business continuation.

 In any crisis, as well as in planning for possible crises, legal counsel is an important adviser during the development and implementation of a crisis plan.  In some cases, claims and lawsuits will arise and legal counsel must be responsible for managing the outcome.  It makes sense that counsel should play a major role in all the phases of crisis management planning.

The Institute for Crisis Management (ICM) reports that the majority of business crises are of a “smoldering” nature.[1]   See, http://www.crisisexperts.com/essence_main.htm.  That is, the organization has some advance knowledge of the circumstances involved and the need to prepare.  Roughly a third of crises examined by the ICM are “sudden”[2] in the sense that they are unforeseen.  Whether smoldering or sudden in nature, crisis management planning can help an organization maintain control and minimize harm to people, organization reputation, assets, and customer loyalty.

Definitions

The ICM defines a crisis as:  “A significant business disruption that stimulates extensive news media coverage. The resulting public scrutiny will affect the organization’s normal operations and also could have a political, legal, financial and governmental impact on its business.”  On the other hand, the definition of “risk”, which may be said to be the precursor of crisis, can be defined as “the threat of an action, event, or circumstance that could adversely affect an organization’s ability to meet its strategic goals”.  Report of the NACD Blue Ribbon Commission, “Risk Governance: Balancing Risk and Reward”, National Association of Corporate Directors, 2009 (the “NACD Blue Ribbon Report”). 

 The planning that goes into identifying and preparing for risk and crisis can be variously described, starting with “Enterprise Risk Management”, or ERM, as “. . . a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, deigned to identify potential risks that may affect the entity, and manage risks to be with its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives”.  COSO (Committee of Sponsoring Organizations), “Enterprise Risk Management – Integrated Framework”, 2004.   

ERM and like titles for crisis planning all have similar underlying themes: organizations are recognizing value in assessing, prioritizing, and quantifying risks they face, with the ultimate goal of choosing the most effective and efficient mitigation or exploitation options available to them.  In other words, they all share in common the identification, prioritization and quantification of risk in order to help the organization effectively manage exposure, deal with uncertainty and associated risk and opportunity, thereby enhancing the capability to build value.

The objective, ultimately, is continuity of operations.  So, in turn, “Business Continuity Management” is defined as “a holistic management process that identifies potential impacts that threaten an organization and provides a framework for building resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation and value creating activities.”  http://www.thebci.org/certificationstandards.htm.  Business Continuity Management is closely associated with disaster recovery planning, but covers a broader scope.  For purposes of this seminar we have chosen to use a definition that focuses on how to ensure continuity of operations when we lose access to key people, facilities, information systems, resources and services due to a natural or human derived calamity.

 Consider as well as a part of this definition “Reputational Risk”, understood as the risk of loss from any event arising in the conduct of business which damages any stakeholder’s perception of the organization or brand.”  NACD Blue Ribbon Report.

 Importance of Planning, and a Plan

There are sufficient reasons to engage in crisis planning and management.  Crisis management emphasizes preparation because preventing problems is much less expensive than damage control after the fact.  Effective crisis management addresses the perceptions that surround organization practices, hazards, and accidents by recognizing that perceptions are often the true driver of a crisis situation.  By participating in such a process before a crisis actually develops, management also saves valuable time and stress.  Management will have hashed out their differences before the crisis, and will be able to more calmly address a major event when it occurs. 

 As stated by the ICM, http://www.crisisexperts.com, in instances where the crisis already has erupted, or it is inevitable the crisis will impact the organization’s key stakeholders, a crisis management plan is needed to minimize the disruption and financial damage. Developing a crisis plan can seem like a daunting task, but in actuality it can be a common-sense document. It involves identifying those functions and processes that are critical to the organization, then designating the management, operational and communication plans to deal with potential issues.

The General Counsel Roundtable (http://www.executiveboard.com/legalandcompliance) identifies certain primary objectives when creating an effective crisis and compliance management program:

  • Reducing tension during the incident;
  • Demonstrating commitment and expertise to deal with the situation;
  • Controlling the flow and accuracy of information;
  • Managing human, technical, and financial resources effectively throughout the crisis;
  • Business and operations recovery; and
  • Ongoing monitoring and gap analysis

 Crisis Management Plan Elements

There is no single crisis plan that works for every organization.  However, there are certain major, or “core”, components of any crisis management planning.  The major elements of effective crisis management planning typically include:

  1. Identification of a Crisis Management Team (CMT);
  2. Assessment of the most likely crisis scenarios;
  3. Development of a written crisis management plan, prioritizing identified risks based on severity and probability, and other factors;
  4. Periodic crisis training and evaluation exercises;
  5. Crisis communications; and
  6. Continual monitoring, review and refinement of the plan.

Crisis Management Team (CMT)

Each CMT member should bring an area of expertise to the table to work together.  Bringing together and integrating multidisciplinary functions in the planning process is essential, including:

  • Legal.  This individual typically is the chief legal officer for the organization, and should be experienced in managing claims resolution and litigation, and also able to collaborate with the communication teams to advise on message content.
  • Spokesperson.  This individual is responsible for the coordination and delivery of commentary to the press, employees, customers, suppliers, government officials, and other stakeholders.  Presumably, this individual will have a sensitivity for sound public relations.
  • Technical and operations expertise.  These individuals are extremely knowledgeable of the way the company operates, and of its information systems, and maintain strong relationships with key operations personnel, with the background and experience to provide details on processes, normal operating parameters and causes and results of upsets.  If called upon, these individuals must be able to communicate in easy to understand terms.
  • Financial.  This individual is in a position to instantly authorize large expenditures to remediate a crisis, if necessary.  The individual’s understanding of potential reactions by the financial community may be important information for the CMT.
  • Risk Management.  In an event consequences to persons and/or property, internal or external to the organization, a person with expertise in property, life and health insurance is needed.  This person is essential to manage the multiple insurance companies and claims that often follow an event.
  • Human Resources.  Someone must be assigned the duty of working with employees, as well as with the local community in the coordination of humanitarian assistance.  For instance, some crises may involve placing evacuated families in hotels for extended periods, and both employees and their families affected by a crisis may have a variety of immediate needs. 

The lawyer’s role in crisis planning warrants special analysis.  Crisis management planning must include consideration of the legal risks an organization faces and how the organization is going about responding to those risks on a day-to-day basis, with particular focus on the organization’s legal compliance program, as well as the organization’s planned responses if material litigation or government enforcement activity arises or is threatened.

An active, effective legal compliance program is an essential element of preparing for legal crises.  It will prevent many legal violations, identify legal problems at an early stage when they are more manageable, and pay dividends in lower penalties, and sometimes complete relief from legal penalties, if the organization is charged with violations of law.  Indeed, the United States Sentencing Guidelines for Organizations are written to encourage and credit organizations for maintaining an effective compliance program.

Consider the various possible sources of legal risk that could lead to a crisis, including:

  • Violations of law, such as
    • obstruction of justice due to attempts to cover up wrongdoing in the wake of a crisis;
    • Securities violations, such as cashing in stock based on little-known information about a crisis;
  • Injury to people or property;
  • Violations of the organization’s agreements and commitments, or other legal rights of third parties;
  • Conflicts of interest, particularly among those with fiduciary responsibility in management and on the board of directors; and
  • Preference payments or “fraudulent transfers” on the eve of a declared bankruptcy, should the crisis yield this result for an organization.

Legal counsel should be available to identify such risks, and establish a means to best address them, without unduly burdening appropriate crisis response plans.

Crises identification

Once a crisis management team is assembled, participants begin to identify the most likely crisis scenarios the organization may face.  For this exercise, there are at least four basic questions to consider:

  • What could go wrong?  What are the events that could expose the organization?
  • To what degree would this truly impact the organization’s ability to execute its strategy?
  • What are the key consequences that could arise from these events?
  • Who within the organization is responsible for managing the particular risk exposure?

One method of starting out is to place potential crises in one or more of four general categories:  natural disasters, technological incidents, criminal activities, and marketplace/political situations.  Another method if identifying crises is to characterize them by the severity or length of time over which they may have impact on the organization.  This would include:

  • Sudden, unexpected events that produce harm;
  • Long-term crisis periods triggered by a sudden or incrementally growing event;
  • Periods of change following key organizational decision-making and implementation; and
  • Ongoing challenges to business culture resulting from any of the above scenarios.

Good starting points for the CMT is to consider historical problems or crises that have affected the organization in the past, as well as current events that could affect organization operations going forward.  After drafting an exhaustive list of possibilities, the CMT then prioritizes the list and determines an appropriate cutoff point for incorporation into the crisis management plan.  Important cut-off considerations are probability of occurrence, severity of the impact on the organization, and resources available for scenario development in the plan. 

Attached as an Appendix B is a PowerPoint presentation to a hypothetical board of directors illustrating this identification process, including a chart indicating the results of weighting each identified crisis based on probability of occurrence and severity of impact to the organization.  The weighting allows for prioritization of the various crises for better planning, attention, and allocation of resources.

Once potential scenarios, severity and probability of occurrence are determined, the CMT next considers the impact of these crises on a variety of stakeholders – for instance, the media, the community, employees, investors, customers, the financial community, government agencies, and regulators.  Once these scenarios are outlined carefully and the list of stakeholders identified, an organization can begin developing a written crisis management plan document.

Crisis Management Plan Document

The plan for addressing crises will inevitably vary among organizations, based on unique concerns about regulations, marketplace, staff, community, and other variables.  However, regardless of how the final planning product is arrived at, most plans will contain the following components:

  • Specific and up-to-date listing of names, titles, contact numbers, and addresses of each CMT member, and any advisors.  This includes email and twitter addresses, and other social media contact information for key personnel, as well as a listing of the recovery responsibilities for each.
  • Description of the process for identifying all critical issues, the potential problems that may arise  from these issues, and guidelines for activation of the CMT.
  • A list of local and national agencies, organizations and elected officials that need to be contacted during and following a crisis.
  • Identify minimal personnel, supplies, data, equipment, and other resources that will be essential to support key functions and recovery efforts.
  • A list of key customers and vendors, including emergency supply vendors, who should be notified of any business continuity issues and immediate supply needs.  More specifically, identify services, business processes, applications, and normal support tools that must be sustained during any type of interruption.
  • Possible scenarios for an unfolding crisis, and the roles and responsibilities of employees for each scenario.
  • Information on how the crisis plan identifies and complements other existing emergency systems or procedures of the organization.
  • Identification of each individual primarily responsible for handling each element of the crisis, as well as for ongoing operational management of the organization, and, in each case, the backup.
  • Identification of the workplace location, supplies, and communications resources needed by the CMT.
  • Procedures for ongoing documentation of the crisis events – chronicling – which will provide invaluable information that may be used later to reconstruct the incident and other details of the response.
  • A process for handling claims and inquiries should litigation or other liability ensue.

The plan should detail the response expected of each CMT member in the course of a crisis, as well as during the following three critical phases associated with an incident:

  • First actions – This involves stabilizing the situation immediately following a crisis incident.  It is useful to understand in advance the role, responsibilities and powers of the emergency services.
  • Incident management – bringing the situation under control, following initial reaction and activation:
    • Communicating with staff, customers and other stakeholders and the media; and
    • Making strategic response decisions.
  • Business resumption – the procedures needed to resume an organization’s processes:
    • Identify tasks to be undertaken by individuals on the CMT;
    • Identify key contacts, suppliers and resources;
    • Procedures for the recovery of information and documentation;
    • Telecommunications requirements for resumption of operations and communications; and
    • Staffing requirements for delivery of an acceptable level of service.

Crisis communications

A crisis inevitably will require dissemination of information, for the purpose of keeping stakeholders advised, to coordinate the response, and to meet regulatory obligations.  This begins the crisis communications phase.  This is at a point at which the control and/or flow of information is no longer primarily within the organization’s control, whether with employees, customers, vendors, government officials, or the public at large.

Good communications are at the heart of any crisis management team.  All communications in a crisis should reduce tension, demonstrate a corporate commitment to correct the problem, and take control of the information flow.  Messages should demonstrate real empathy and emphasize problem solving.  Good communications also involves listening to public concerns and following up on requests for information, and being scrupulously accurate.  Communication in a crisis requires good management, and provides an essential public service while helping to protect an organization’s reputation.

A written crisis communications plan should be prepared, containing the following elements:

  • Local employee roles and responsibilities;
  • Evacuation plans and assembly points;
  • Procedures for resuming business;
  • Guidelines for designated spokespersons;
  • How to communicate with employees regarding work stoppages, injury, and general notifications;
  • How to work with the media and community leaders;
  • Organization assistance in community recovery efforts; and
  • Maintenance of an event history log.

When dealing with the media, organizations should demonstrate a willingness to communicate openly and honestly to its audience, and present a plan to resolve the particular crisis.  The following strategies are key:

  • Apologize to constituents, where appropriate – acknowledge failure and publicly recognize stakeholder and customer concern over issues, as this serves to maintain a positive image and impart a sense of responsibility.
  • Outline response plan – discuss specific, positive steps taken to conclusively address an issue, as this instills consumer confidence and reassures stakeholders of the organization’s proactive efforts to resolve the situation.  Publicly announce any investigation, request or cooperation with appropriate public authorities.
  • Emphasize the positive track record of the organization – demonstrate the organization’s positive past performance, as this limits speculation of widespread problems and encourages the public to recognize an organization’s prior good reputation.
  • Provide continuous disclosure – transparency is a key tactic in alleviating public concern during a crisis, and leverages the media to effectively communicate to constituents ongoing response efforts as well as information on crisis resolution.

Periodic Crisis Training and Evaluation

Once an approved crisis management plan document is created, an organization must assure that everyone understands their roles, and the framework of the plan, on an ongoing basis.  Through a training process, the plan will be refined and employees will be more knowledgeable.  Other benefits of crisis training include:

  • Addressing potential legal issues before an incident occurs;
  • Developing and testing proactive investigation procedures;
  • Identifying a need to update systems and equipment;
  • Assessing the media relations skills of designated spokespersons; and
  • Gaining additional insight while responding to unexpected developments.

These training sessions can include:

  • Crisis drills;
  • Reviewing facility emergency response plans, and related trainings; and
  • Spokesperson ( “and surrogate”) training.

Crisis drills are a way to exercise the plan, and apply it to realistic fact situations.  The organization should periodically reassure itself that the plan still works, and that people are aware of the role they play, and also test the readiness of external suppliers or vendors.   The plan may need to be amended to address such things as:

  • Errors that are identified in drills;
  • Recent changes to the business;
  • New requirements from customers or vendors; and
  • Changing legislation and regulation.

6.      Monitor:

Once a plan has been determined, it should not be considered a one-time analysis, but rather a continual process implemented within the organization.  As time passes, a number of elements of your quantitative analysis will likely change:

  • Refine the risk process – complexity or additional strategies may be added to the plan to make it more robust, and the organization may also determine that certain strategies no longer add precision or reflect its current view of the risk process.
  • As time passes, the organization will evolve and new risks may be identified as candidates for analysis, and certain risks may diminish as the threats no longer warrant inclusion in the plan.
  • Probability distributions and indicators may change over time.
  • New mitigation options and insurance products may become available.
  • Anticipate changes in the business model, competitive landscape or regulatory environment.
  • Anticipate changes in technology, computing power and certain modeling techniques, for assessing risk will surely present themselves in the future. 

Role of the Board of Directors

The primary task for a company’s leaders, according to Peter Drucker, is “to make sure of the institution’s capacity for survival – to make sure of its structural strength and soundness, of its capacity to survive a blow, to adapt to sudden change, and to avail itself of new opportunities.”

The role of the board of directors for a well-prepared organization in a crisis situation is often not much different from its role outside a crisis – to be informed of the situation and management’s planned response, and to meet periodically as needed to receive reports of how management is doing and to provide the necessary authority for material actions by management.  The role of a board at an organization with poor to non-existent crisis response planning under the same conditions will be radically different – the board may be required to provide daily, hour-by-hour direction to management, or in some cases supplant management’s role entirely and assume responsibility for managing the crisis.

It is the board’s responsibility, ultimately, to see that crisis response planning receives appropriate emphasis among the many issues competing for the attention of the board and management.  Yet, no amount of work by a board will replace the work that management must do to implement effective crisis response planning.  Except in very unusual cases, directors are too far removed from the front lines to have the necessary information to be able to foresee the very large number of practical issues that a given crisis scenario may present for an organization.  Boards should bear in mind:

  • Directors ensure good management, they do not provide it.
  • Directors direct, they do not manage.
  • The role of director is governance, not management.

What a board typically can do is determine whether the organization has the following elements of crisis planning in place:

  • High standards of integrity throughout the organization;
  • A risk evaluation and management program;
  • A risk identification program;
  • A multidisciplinary crisis response team identified;
  • Crisis response drills;
  • A written, organization-specific crisis response plan; and
  • A written communication plan.

As stated earlier in this paper, the precursor to crisis is risk.  Risks that are appropriately identified and understood immediately become less likely to provoke a crisis.  An important role of the board is defining an acceptable level of risk-taking for the organization, and then monitoring management to ensure the defined levels of risk are not exceeded.  “Resilience is an important issue for many companies today, and boards need to be satisfied that their company has appropriate business continuity plans.”  NACD Blue Ribbon Report.

Among the “Principles of Effective Risk Oversight” for the board reported in the NACD Blue Ribbon Report are the following pertaining to crisis and risk management:

  • “Understand the company’s key drivers of success.”  Knowledge of the organization’s business and industry, and staying abreast of the issues and developments affecting the organization, are important. 
  • “Consider whether the company’s risk management system – including people and processes – is appropriate and has sufficient resources.”  Specifically, assure that management has
    • Identified the organization’s primary risks;
    • Assessed the potential severity, probability, timing and costs of impact of these risks;
    • Applied a strategy to avoid, manage, shift, or mitigate the risk;
    • Have a system in place by which to monitor the risks; and
    • Have a system in place to communicate about the risks throughout the organization.
    • In particular, the Report advocates that boards ask management to explain the following issues:
      • How will risk be measured – qualitatively or quantitatively, or both ways?
      • What measures and methodologies will be used to assess the risk?
      • How will risk analysis and reporting information be used during strategic planning?
      • How will risk be integrated into financial and strategic management processes?
      • How will risk be monitored?
      • How will management communicate risk and risk management to stakeholders?
      • “Encourage a dynamic and constructive risk dialogue between management and the board including a willingness to challenge assumptions.”  Open dialogue is described as an environment where directors are engaged, ask probing and illuminating questions of management, and seek out the opinions of other board members and management alike.
      • “Consider emerging and interrelated risks: What’s around the next corner?”  The board needs to look forward to understand elements in the environment that may impact the conduct and effectiveness of the organization in the future.
      • An important risk that every board needs to consider is ‘management risk’; that is, the risk that management will be unable or unwilling to perform and execute the strategy agreed upon by the board.
      • “Periodically assess the board’s risk oversight processes: Do they enable the board to achieve its risk oversight objectives?”  Questions that a board should address in this area:
        • Do our discussions reveal the extent of risk the organization is taking?
        • Do we have an efficient method to identify top risks to the organization?
        • Do we have the tools and resources to fulfill our risk responsibilities?
        • Are we receiving the necessary board education and training regarding risk?
        • Do we have a system to manage risks effectively?
        • Do we have systems in place to quantify the upside – as well as the downside – of the risks the organization is taking?

Conclusion

Crises are unavoidable, regardless of the size, type or business success of an organization.  Liability will be determined in a court of law, but the court of public opinion is just as important to an organization’s future.  A crisis management plan can effectively minimize effects of an incident or events to an organization’s reputation, market share and financial well-being.  More importantly, a crisis management plan can provide valuable leadership in restoring a community or stakeholder group adversely impacted by an event.  While there is no legal requirement for a crisis management plan, legal counsel must play an integral role in the development and implementation of any management plan.

Implementing a robust disaster or crisis recovery and continuity of operations plan is not an easy or brief endeavor.  The following steps can help smooth the way:

  • Engage.  All stakeholders need to understand why the organization is investing in a disaster recovery and continuity of operations solution, starting with formation of the crisis management team, or CMT.
  • Calculate.  It is important to convey in conversations among the organization’s top executives what a disaster recovery system will cost.  Management needs to understand not just the initial capital outlay but what it will cost to maintain.
  • Plan.  It’s not enough to virtualize or build a plan on paper.  Organizations need to assess their operations and performance and understand how everything works together so they can plan and prioritize redundancy levels and response times for various parts of the plan.
  • Test.  Don’t wait for a disaster to see if a recovery and continuity plan holds up under the pressure.  Test your plan to discover any gaps in coverage or documentation, and to make sure everyone understands their roles and responsibilities in an emergency.
  • Monitor.  Implement a change control process to monitor and identify any changes that might affect the ability to perform disaster recovery.  Review and update the overall plan annually or whenever a significant change occurs.

 APPENDIX A

Sample Questions for Crisis Management Experts:

  • How can our organization determine its readiness for business continuity planning, and the associated discipline/diligence needed to maintain the plan?
  • What are the most important considerations when prioritizing services and their corresponding continuity measures?
  • How can an organization determine a business continuity plan that best fits its environment and organizational culture?
  • Should any organization require its risk or crisis managers have a business continuity certification?  I understand the Business Continuity Institute, in the United Kingdom, and DRI International, in Falls Church, VA, are nonprofits that offer certification at different grade levels:  Senior and Master levels respectively.
  • Medtronic, Inc. made a strategic decision some years ago to stop “playing” the insurance marketplace for the purpose of shifting the financial burden of risk, and to free resources to focus increasingly on proactive risk assessment.  Is this accurate, and how is it working?
  • How a crisis can become a disaster:
    • Assume that evidence of a problem must be wrong
    • When evidence mounts, cover up the problem; let the lawyers manage the response strategy – admit nothing
    • When the problem becomes public, minimize it
    • Never display remorse
    • Take plenty of time to study the problem
    • Have the highest-level responsible individual go into hiding
    • Attack the media
    • Anger the regulators
    • Frequently reverse your position and contradict yourself
    • Give priority to saving money on the front end
    • How and when do you determine how to address each risk –
    • Attorney-client privilege – when, how, why invoked?
    • Regulation FD – “fair disclosure” – avoid selective, material disclosures concerning the crisis and the risk(s) it represents.  Are there special rules or guidelines in the heat of a crisis that apply here?
  • Prevention
  • Avoidance
  • Mitigation
  • Transfer (insurance)

[1] The ICM defines a “smoldering” crisis as: Any serious business problem that is not generally known within or without the business, which may generate negative news coverage if or when it goes “public” and could result in fines, penalties, legal damage awards, unbudgeted expenses and other costs.

[2] The ICM defines a “sudden” crisis as: A disruption in business which occurs without warning and is likely to generate news coverage, including fires, explosions, natural disasters and workplace violence and adversely impact operations.

Advertisement

About David F. Fisher

David Fisher is an attorney with Larkin Hoffman Daly & Lindgren Ltd., Minneapolis, MN, serving business clients as general counsel, and specializing in compliance programs, codes of business conduct and ethics, risk management, crisis management, boards of director governance structures and performance, investigations, domestic and international business transactions, and government relations.
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s