Thursday, August 27, 2015

Hip-Pocket Ruminations For Crisis Management Teams

I participated in a crisis management tabletop exercise today courtesy of the San Francisco Bay Area InfraGard Chapter.  The local chapter of the Business Recovery Managers Association (BRMA) joined the fun.  I was familiar with the structure of facilitated scenario-based role playing from many years of US Army Reserve staff training.  The injects kept us thinking about how unpredictable a crisis gets for an enterprise.  My genius ruminations are below.

Knowing how critical business processes will cross functional silos is a key to assembling the crisis management team (CMT).  Prioritizing the processes that the enterprise must immediately sustain helps determine the resources the team will allocate in its earliest decisions.  Having a single senior person designated as the communications manager ensures that all messaging themes are centrally routed before release and that all senior executives stay on message.

Outsourcing some of the response effort in public relations (PR), third party logistics (3PL), or business intelligence (BI) means the enterprise gains a surge capacity to meet an existential threat.  One outsourcing risk is friction if the hired partners' IT systems are incompatible with the enterprise's systems, but the risk is worth taking.

The rehearsed crisis management plan should have escalation triggers in place so the CMT knows when decisions are beyond its authority.  Sending the big decisions to the C-suite keeps the enterprise's strategy in mind.  The business process recovery (BPR) team activates after the CMT has begun its work.  The CMT minimizes damage from ongoing problems, and the BPR team fixes what is broken as the crisis passes.

Crisis managers have plenty of resources for planning and training.  ISO standard 22301 governs business continuity.  Several competing organizations offer certifications in business continuity planning, so the choice may come down to which one adheres most to the ISO standards and is the least costly.  Having some members of a CMT get a couple of affordable certifications would not hurt.  Joining the US government's public-private partnerships like InfraGard, the Domestic Security Alliance Council (DSAC), US-CERT, and the National Council of ISACs (NCI) allows access to open-source threat intelligence.  Searching Google for case studies of the 1982 Tylenol crisis provides managers with the gold standard response.

Preserving an enterprise from a surprise threat is what boards pay executives to do.  Protecting employee lives and shareholder investments means designated crisis managers must write plans and run drills for multiple scenarios.  I no longer work for large enterprises but this InfraGard/BRMA joint exercise reminded me of how teams should work together.  The Alfidi Capital crisis management plan is to be as brilliant as possible while Armageddon rages all around.