Every company must take the time to create, review and update their approach to crisis management. Crisis events are on the rise and are more expensive than ever. Not only are companies faced with natural disasters such as hurricanes, floods, tornados and fires; since the events of 9/11, the exposure to manmade events is on the rise. Companies now have to be concerned with intentional human-caused events such as terrorism, active shooters, workplace violence, security breaches and arson. Additional concerns are technology events and cyber liability leading to computer system, telecommunication and supply chain interruption.
According to Bo Mitchell, President of 911 Consulting, in the United States in 2012 there were:
- 4.1 million workplace injuries
- 2 million incidents of workplace violence
- $2.6 billion of property loss from non-residential structure fires
- 349,500 fire department responses to hazardous material spills
- 45,000 natural and manmade disasters
- 10,000 incidents of sudden cardiac arrest at work
- 5,999 accidental workplace deaths
Another indicator of increasing frequency of catastrophic events is the number of Presidential Disaster Declarations by year. FEMA tracks three criteria:
- Major Disaster Declaration
- Emergency Declaration
- Fire Management Assistance Declarations
Between 1981 and 1990 there were 298 declarations issued compared to 1,260 between 2001 and 2010. Since 2011, the industry has already reported 398 declarations — and we are not even halfway through the decade.
When it comes to crisis management, companies within one of these categories:
- Ready — These companies have a strong, comprehensive plan that can withstand the pressure of a crisis. They may have devoted staff or departments to crisis management. They are consistently identifying risk, training employees, performing drills and evaluating effectiveness of the plan.
- At Risk — These companies created a written document perhaps a few years ago. They may have some dialogue about crisis management. Perhaps they have a call chart and at one point identified first responders. Unfortunately, the plans are outdated and may not be sufficiently comprehensive to deal with today’s crisis management expectations.
- Unprepared — They completely lack any plan. They see only barriers to creating a plan and avoid creating one or focusing attention on the issue. They subscribe to the belief that crisis happens but not to them.
Why Crisis Management Matters
The economic slowdown over the last five years has left companies with more work and fewer resources. It can be difficult to justify the cost of crisis management planning and training because it is tied to an event that may or may not happen. However, companies simply cannot afford to bear the risk of being out of work for any period. A delay due to a crisis could potentially bankrupt even the most successful company.
Companies need to create a total program approach to crisis management that addresses all aspects of business including prevention, mitigation, resource management, emergency response, business continuity, disaster recovery, crisis communication (including social media) and incident management. An All Hazards Plan that can be rolled out in various phases is the best course of action. The private industry gold standard is the NFPA 1600.
In January 2004, the 9/11 Commission investigated the preparedness of private sector organizations and asked the American National Standards Institute to develop a consensus on a “National Standard for Preparedness” for the private sector. The end result was the recommendation that the Commission endorse a voluntary National Preparedness Standard® NFPA 1600®. The 9/11 Commission formally recommended the adoption and use of NFPA 1600, which can be downloaded at www.nfpa.org.
NFPA 1600 defines the essential elements of an emergency management and business continuity program. It does not prescribe in detail how to address each element. The standard is written using requirements instead of recommendations. However, as a voluntary standard, it is only mandatory for those entities choosing to follow it. It is expected that OSHA will adopt this standard in the next few years.
A main goal of NFPA 1600 is to protect people, property and the environment along with the business enterprise in compliance with laws and regulations.
NFPA 1600 Components
Program Management — Define management’s involvement and identify the personnel needs to oversee and implement the program. It requires the appointment of an advisory committee and a program coordinator to oversee the plan’s preparation, implementation, evaluation and revision. It requires defining an executive policy, goals, objectives, plans, procedures, budget, project schedule, periodic evaluation and records management practices.
Risk Assessment — Identify and analyze threats that affect operations, determining the likelihood of an occurrence, and implementing systems to monitor. This is accomplished through impact analysis extending to the impact of hazards on the safety of people, property, facilities, infrastructure and the environment.
Prevention and Mitigation — Assessing the vulnerability of people, property and environment from all hazards. It includes preventing and controlling the consequences, extent and severity of an incident that cannot be reasonably prevented. Strategies include program constraints, operational experience and cost- benefit analysis.
Resource Management — Recommend the establishment of resource management objectives in order to ensure that the program is appropriately funded, staffed and equipped. Personnel need to be trained and have the knowledge necessary to maintain the program. It recommends identification of any shortfalls and steps necessary to overcome them. NFPA 1600 includes requirements for logistical support including procedures to identify, request and track resources as well as activate, dispatch and deactivate these resources during an incident.
Plan Development — Specifies that the program shall include a strategic plan, emergency operations/response plan, prevention plan, mitigation plan, recovery plan and continuity plan. Key content includes objectives, roles, responsibilities, activation criteria, authority to declare and manage an incident, resource requirements, alternate work locations, communication capabilities, and strategies for internal and external stakeholders, and response and recovery processes. The responsibility to administer and keep the plan current falls on the program coordinator.
Training — Recognize the importance of training and education focused on awareness, individual roles in response and developing a strong business continuity plan. Ongoing and frequent training is recommended to keep the program fresh and current. Training records must be kept.
Exercises, Evaluations and Corrective Action — Require the organization to conduct regularly planned, documented exercises to verify that the program elements meet the stated business objective and to familiarize personnel with the response process. Lessons learned meetings and post-exercise program element reviews should occur with key findings incorporated into plan updates and future planning scenarios.
Program Revision — Conduct a review of the program whenever there is a significant change or triggering event that could call into question its adequacy. Possible triggers include change in use of hazardous materials, building additions, renovations, infrastructure, telecommunications, power supplies, water supplies, supply chains, workforce population, business acquisitions or diversions, new product launches and reorganization.
Even after all of our best efforts, a crisis may still occur. When it does, crisis preparation will increase the ability to manage the crisis. Crisis communication within the organization and externally will determine if we fall victim or rise up as survivors. Crisis recovery will ensure that our companies learn from the past and rise to the occasion to become stronger, better and resilient to live another day and continue the journey toward business excellence.