Back from the ISACA Belgian Chapter meeting. Today’s topic was “Crisis Management”. As usual, very interesting and lot of experiences shared between the participants.
What first emerged from the meeting was the different types of definitions companies have of a “crisis”. For some of them, a crisis must be fixed in a few hours, for others, a few days, some have financial impacts, others have reputation or human health impacts. Note that the Belgian law has an official definition of a crisis (AR 18/04/1998):
“A crisis as an event which by its nature or its consequences:
* Threatens the vital interests of the Nation or the basic needs of the population
* Requires urgent decisions
* Requires the coordination of different departments and agencies
It may indeed be situations where the social order, democratic institutions, security or public order are threatened by public disorder (risk events, a terrorist threat, food crises ), but also by natural disasters, catastrophes or disasters of natural or industrial origin.”
Here follow a few reflections about crisis management… A crisis is part of the following chain: “Event -> Incident -> Crisis -> Disaster”. A disaster can be defined as a major crisis which requires the help of one or more external partners (the crisis has major impacts and cannot be resolved by the company itself). A suite of events is responsible of an incident and this incident, if not properly mitigated, can lead to a crisis. A crisis can also be defined as a unpredictable incident. The term “unpredictable” does not mean that the company cannot prevent the crisis (“how” or “what”) but it’s not possible to know “when” the crisis will occur (but it will!). That’s the role of the analyze to identify all the risks, assess them (rate of occurrence, impact) and finally define countermeasures.
A key question is when a incident leads to a crisis? Thresholds can be defined but their interpretation is very subjective, depends on the business.
Crisis management is based on (non exhaustive list):
- An analyze of the past crisis (learn lessons from the past)
- A good preparation
- A precise set of scenario (what if… or if …)
- Evidences (for post-crisis analyze – forencics search)
A important step in crisis management is the communication! In case of crisis, never try to hide the impact to your customers, shareholders, … Be transparent or there are higher risks to loose your credibility. Internal communication is also important (via trainings and awareness information campaign). In case of an IT problem, everybody will call the helpdesk. But, who contact in case of human health or facilities problems?
Another key question is “who own the crisis?” The owner is not necessarily the executor of the crisis plan (depending on the company size). Who decide to declare a crisis state? It’s best to let a group of managers to decide to switch to a crisis state to avoid attempts to hide suspicious activities (the financial sector is a good example). This is the principle of separation of duties.
Finally, the crisis management team must be composed of manager coming from the key department (which all can be affected by the crisis).
That’s what I wrote down during the presentation. A lot of participants (and me) agreed on the fact that the meeting length was too short to cover the whole topic. Some examples where given during the presentation but, one more time, a crisis plan is directly related to the company and its business.