Policies and protocols. The types of risks a company may face can be determined prior to an event, although the scope and unique peculiarities will change on a case-by-case basis. Pragmatic crisis management protocols should be developed to support management structures in dealing with the initial effects of an emergency, reduce the initial and subsequent impacts, and bring some degree of control to the event. Protocols also provide a handrail for less experienced managers to guide them through decision making and information gathering, offering direction and confidence during the early stages of an event.
Report templates. As part of the crisis management protocols, employees should also learn how to use crisis-management report templates. These templates provide basic guidelines to employees on how to report an incident. If managers design these templates effectively, employees will only need to fill in the blanks to provide the right information.
These templates should ask for data such as the date and nature of the incident, how many people were injured, what type of damage or loss was incurred, the names of those involved, and what mitigating action was taken.
Record keeping. Information in the report templates becomes part of the official record of the crisis. This documentation is used in any subsequent government or civil audits, employee issues, and insurance claims, for example. In addition, this information is critical for learning from a crisis and protecting against any ramifications arising out of the incident.
Lawsuits against the company, for example, can surface months or even years after the crisis. Those involved in the crisis might have faulty memories, and many key players may have moved on to different jobs, making an accurate defense difficult absent good records.
Postincident review. Following any incident, the company’s crisis management teams should conduct a detailed debriefing at all levels of the company to ensure that mitigating procedures were fully implemented and that any follow-up requirements were met.
For example, following the evacuation of a site due to severe weather, the company might review whether the facility was correctly secured and what damages to infrastructure might have been avoided. In addition, the success of any methods of remote business operations, such as telecommuting, might be evaluated based on the ability of management to operate without power or utilities.
The purpose of a postincident review is to address gaps that might hinder operations in future crises. For example, the company might review whether management and site staff were correctly trained in the existing policies and plans as well as how their ability to respond confidently and effectively might have been enhanced. If gaps and shortfalls are identified, training may be a logical remedy.
Monitoring. The crisis-management teams must keep the protocols and records current. Training and contact information should be updated, team members should be briefed on changes in the company, and threat assessments should be altered to reflect evolving geopolitical realities.
Companies must monitor fluid risks, especially man-made threats such as crime and event-driven risks such as rallies or protests. Companies should review the types of risks and how these might change or evolve over time. Policies and plans may need to be periodically adjusted to address changes.
Companies are constantly at risk of an incident that may create a crisis. Whatever the nature of the situation, however, an established, organized crisis-management plan can help the business respond appropriately. n
Michael Blyth is director of risk consulting for BSG LLC based in Washington, D.C. He is author of Risk and Security Management published by John Wiley & Sons.