First, let me say thank you for all the great comments and questions during the “Creating a Crisis Management Plan” Webinar hosted by ICMC on September 28th. Between running short on time and me starting to lose my voice – I never got to answer all your questions. So, with the help of Rob and Mike over at ICMC, I have the full list of questions and will go through each one here. Some are actual questions, others are comments as shown below. Feel free to reach out to me (mhoffman@anesis.ca) if you’d like to continue the conversation further.
Comment: (Peter) Terms and definitions are important as well….too many people get confused at this point. At this point of the presentation I was discussing the governance structure and framework of the Crisis Management Plan. Peter is spot on with his comment. Just this week I had to clarify the difference between ‘business continuity’ and ‘disaster recovery’ with a client who was using the terms interchangeably. Words matter. So, I define the terms in the Framework of the program and explain and socialize the terms in training and awareness sessions – which is another key aspect of your program.
Comment: (Glen) I suggest to clients that they make this part of their team’s personal KPIs and a set part of their performance reviews. We were discussing the program’s governance and reporting structure and reporting program maturity. Rob replied to Glen by saying “Glen, your point is very important. Some organizations don’t and this impacts the program.” Making this part of your program’s key performance indicators can be included in your Framework document and I fully support this approach. Just know that it takes time for programs to mature and you may not score as high as you’d like early on. Teach patience and make progress to show the program’s growth.
Question: (Matthew) Are there forms/templates for priority matrix and impact profile? The only ones I’ve seen are the ones that I’ve developed. Mine are Excel based (see my blog on ICMC regarding BIA Data). I capture BIA data in a series of workbooks and compile the data into a repository. I then have a reporting spreadsheet which is used at time of crisis and shows an impact profile (list of business units and functions that are most affected by the incident), a priority matrix (recovery priority based on a formula of impact and urgency), a system outage cross reference (showing affected business functions when systems are lost) and a point in time graph showing impact over time. There is a lot of data collected in the BIA and it generally takes a lot of time and effort to collect it, so why not use it?
Question: (Glen) In completing the BIA, who might best be involved in the Impact analysis for “reputation?” When I gather people for the BIA workshops, I like to include upper management and staff who are responsible for the delivery of whatever the business unit does. “Workers and Managers”. The workers understand the day-to-day activities, obstacles, dependencies, priorities, etc. The managers understand the impact to the business if the function is suspended. This includes reputation. But I also think that reputational impact may be better understood by other senior leaders, that’s why I also vet the BIA results across the organization. The trick is compiling the information to a level where you’re not killing the leadership team with a mountain of data. Enterprise Risk, Legal and Compliance teams generally have excellent input when it comes to reputational impact.
Question: (Paul) Do you recommend a particular CMT meeting approach, in terms of constituents, duration, use of alternates for main roles (e.g.: comms, HR, ..)? To a degree this will depend on your organization’s size, complexity and structure, but without a doubt you’ll need to make sure you have leaders at the table representing: Senior Leadership, HR, Technology, Communications, Legal/Privacy, Business Operations and Risk. Each leader must have an alternate and the alternates must be included in exercises so they know what they are doing if the leader is unavailable. The duration of the meeting is something that I tend to determine as part of the agenda because it’s based on the specific incident being managed.
Comment: (Peter) Will add Initial Response Agenda to plans. (do we have to credit Mark?) Good idea! It’s a good practice to know exactly what you’re going to talk about when you convene the team. (And I’ll waive the $1.50 royalty if you add this to your plans).
Question: (Matthew) How does ICS map to the process you’re outlining? It’s actually quite consistent with ICS. Incident Command goes through several similar steps: Understand the situation, Establish Incident Objectives, Develop the Action Plan, Disseminate the Plan and Execute/Revise the Plan. The process I laid out walks through a very similar process in that initial response agenda I discussed. We fully understand the situation, address any immediate items (including communications) and establish and act on the action plan.
Question: (Linda) But where do you put the “Action Plans”? The Action Plans that I’m describing are specific plans that will be developed in direct response to the crisis at hand. The plans will be developed by the Crisis Management Team (in full or a subset) and will be disseminated out to the individuals or teams responsible for executing the plans. Copies of the plans should be kept with the minutes of the Crisis Management session.
Comment: (Glen) I’ve found it helpful to make certain that the comms lead also have their own crisis sub-team that receives training and practices their role outside of the CMT. This might be an outside firm who should know and adhere to comms guidelines. Couldn’t agree more. I highly recommend media training for anyone who may end up in front of a microphone representing your company. Thanks for your insight on this.
Question: (Elsa) How can you control your employees in social media? I will admit that this is easier said than done. There are two things that help with this. First, in EVERY business continuity plan that I write, I instruct the managers to remind their staff not to post anything about the incident on social media. The other thing is that many companies have policies about this type of thing and Glen replied to Else by saying “Elsa, your company should have social media guidelines that are reviewed with all employees. Some public companies I work with include this as part of the employee intake process and make employees review and sign them at each performance review. I find a lot of examples of those policies on the Internet. FedEx had a public policy as I recall.” Thanks Glen!
Comment: (Matthew) I’ve read/heard that you shouldn’t consider an exercise to success or fail, they are just improvement opportunities. Matthew, you’re right. Now I don’t mean we should take on the ‘let’s not keep score because everyone is a winner’ mentality. (Nor will I hand out participation medals). But we need to put the focus where it belongs, improving and maturing the program. If you’re a service provider and you’re trying to bump up your numbers by saying that 99% of your DR tests are successful, that’s one thing – but for those of us who are trying to improve our programs – stay away from the pass/fail mentality. Look for things that worked well and as Rob likes to call them “lessons to be learned”. Also – this is why I use the term ‘exercise’ rather than ‘test’.
Comment: (Paul) I recommend CADA (Confirm, Analyse, Decide, Act) for Incident Response teams, because the process confirms to them whether or not to convene a CMT. If there was no need for a CMT, I class it as a near miss, but it should still be reported at relevant management meetings. Valid model. I love the “near miss” classification. Learn from every incident, even if there is no impact to your organization.
Question: (Glen) Any suggestions for how one can motivate management to address crisis plan concerns? For instance, how can I get a client to make updating their crisis plan – specifically for cybersecurity – when there isn’t a crisis imminent? That is, how to get management to make updating the plan a priority… As I said during the session, I believe there is always a cybersecurity crisis imminent – so you may want to start there. But I understand the fatigue that comes from always being on alert and that complacency is a major threat to the program. I like to build intelligence designed programs that use the priority and impact matrix I described above. If you can show the risk to the company in terms of financial or reputational loss because of gaps in the plan or vulnerabilities of existing solutions, that *should* help. Often audits (internal or external), compliance reviews or inquiries from the Board of Directors can be motivational too. Depending on your culture, bring case studies to your planning meetings and show what happened to Equifax or some other company and explain how your vulnerabilities may be similar.
Once again, thanks to everyone who attended the session and provided questions, comments and feedback.