What Is Crisis Management?

Disasters and other events that stop normal business processes require that management take immediate action to ensure the health and safety of personnel, and the viability of the enterprise.

Key Elements of Business Continuity Planning

Gartner defines business continuity planning (BCP; see Figure 1) as a process with five essential components:

• Disaster recovery
• Business recovery
• Business resumption
• Contingency planning
• Crisis management (required for the entire event)

Figure 1

BCP Components

Source: Gartner Research

Crisis management is the enterprise's first response to an event that could change the way business operations are normally conducted. A well-managed approach to such an event will help significantly to ensure that employees, customers, partners, investors and the general public continue to have confidence in the financial viability of the enterprise.

Gartner estimates that 85 percent of Global 2000 enterprises have established a disaster recovery plan that addresses the recovery of their core technology infrastructure, but only 15 percent have a full-fledged business continuity plan covering all five critical components. This is dangerous; enterprises must shift from a disaster recovery focus to business continuity because most, if not all, stages of the business life cycle now totally depend on IT services. BCP is vital to the maintenance of public, customer and investor confidence.

E-commerce initiatives do not change the five components of BCP, nor do external events impacting the normal business cycle. These factors simply place more importance on the enterprise’s contingency and crisis management plans because of the public nature of outages and the increasing reliance on external services providers for processing. The potential range of failures must be determined from an organizational perspective, and all interdependencies must be planned for appropriately. Each component of the business process must be addressed in the recovery plan, and enterprises must perform an end-to-end analysis of the information flow through internal and external processing environments to successfully provide recovery options for all potential scenarios.

An Effective Crisis Management Team

The crisis management team is responsible for managing the event from an enterprise perspective and covers the following major activities:

• Supporting personnel and their loved ones during the crisis
• Determining the event's impact on normal business operations and, if necessary, making a disaster declaration
• Keeping the public informed about the event and the actions being taken to ensure the recovery of personnel and the enterprise
• Communicating with major customers, suppliers, partners, regulatory agencies, industry organizations, the media and other interested parties

An emergency response/damage assessment team should keep the crisis management team apprised of the status of the event, focusing on the damage it caused to normal business operations.The emergency response/damage assessment team should consist of onsite personnel working with the following entities:

• Local law enforcement and other officials (e.g., fire and police)
• Utilities (e.g., gas, electricity and telephone)
• Facilities management

A command center must be established from which the event can be managed (until a disaster is officially declared or reentry to the regular facility is possible). Enterprises should consider establishing a “virtual” command center to limit the vulnerability caused by all senior executives being in one location.

An effective crisis management team must have participation from:

• Senior management from each business unit
• Human resources
• Facilities/building management
• Risk management (operational, financial and IT)
• Legal/compliance
• Communications/public relations
• Chief information officer/chief technology officer
• Business continuity manager

Personnel Management and Notification

Personnel Head Count: If a disaster occurs during business hours, the first response is usually to evacuate all personnel. A complete head count must be conducted as soon as possible after evacuation. Management should attempt to identify all personnel who have been injured, including those who may be able to seek medical assistance on their own (as they may become lost in the confusion, causing their families undue concern). Management must keep a record of personnel who are offsite for any reason — e.g., vacations, training, illness or business travel.

Personnel Contact Information and Call Tree: Because not all disasters occur during business hours — and because not all personnel will necessarily proceed immediately to the evacuation location — personnel contact information is essential to management's efforts to reach and account for all personnel. Management must document and regularly update a broad range of contact information — including home, office, vacation home and mobile telephone numbers, work and personal e-mail addresses, and pager numbers — to ensure that many contact channels are available.

The establishment of a call tree — i.e., a list that defines who is responsible for calling whom in the event of a disaster — makes contacting personnel significantly easier. The call tree must be updated frequently and following any change in organization, location or employee contact information, and tested, at minimum, during testing of the business continuity plan. Tests should be unplanned to ensure realistic results. Enterprises may use automated services for call tree testing and for implementation of the call tree during an actual disaster.

Emergency Information Card: An emergency information card will remind all employees, consultants and contract workers of critical information during and after the event. Typical components of an emergency information card include:

• Immediate evacuation location: an address near the facility where personnel will assemble immediately after the event so that a head count can be taken and instructions given regarding the management of the event
• Assembly location: an address where personnel not involved in the recovery operations, but not immediately sent home, can be sheltered, supported and given frequent updates on the event (depending on the scope of the event, reentry to the building may be possible)
• Recovery location: the address of an alternate processing site where business will be resumed after a disaster is declared
• Emergency hot line: typically, a toll-free telephone number that personnel can use to receive and disseminate information
• Business continuity coordinator — the name, telephone number and e-mail address of the person responsible for each department’s recovery response

Balancing Personal and Enterprise Concerns: Many enterprises developing crisis management plans are rightly concerned with finding ways to enable their personnel to balance personal and family concerns in the event of a disaster. Many of these enterprises have found that the personal preparedness training offered by the American Red Cross is useful. Information about these programs can be obtained at www.redcross.org.

References

The following references may be of value to enterprises preparing crisis management plans:

• "Emergency Planning Guide for Continuity Officials" (New York publication, 1999)
• U.S. Federal Emergency Management Agency (FEMA) Web site — www.fema.gov (includes a list of courses and workshops related to emergency management)
• Federal Response Plan — April 1999 (FEMA document 9230.1-PL)
• Individual state emergency management agencies (often divisions of the Department of Public Safety)

The underlying principle of effective BCP is preparedness: being ready to deal with a disaster that may render the enterprise inoperable for some time (typically, a minimum of 30 days). Preparedness requires that management discuss all possible event scenarios and establish well-planned, documented and tested procedures that will go into effect when a disaster occurs. The worst possible time to make crisis management decisions is during the disaster itself.

This research is part of a set of related research pieces. See AV-14-5238 for an overview.