Before delving into the structure of a crisis management plan, I will share an example of a previous case, in order to put the importance of a crisis management plan into perspective.
United Airline 2017 Crisis
In early 2017, social media erupted with the news that United barred two teenage passengers from boarding a flight because of the leggings they wore. The situation quickly escalated as a nearby traveler tweeted about the incident. Far from apologizing, United released a series of tweets defending the gate agent’s actions and claiming that this was standard procedure for passengers flying as “pass holders”. The “pass holder” reasoning seemed to mollify some, but all agreed that the situation had been poorly handled.
The leggings scandal was nothing compared to what happened a few weeks later, however, when video surfaced showing a United Airline customer being brutally dragged and bloodied from a flight. While initial speculation was that the paying passenger had been asked to give up his seat because of overbooking, it was soon revealed that the seats were being repurposed for United’s own employees.
Despite having a swift response, United Airline CEO Oscar Munoz released a statement via social media where he defended the actions taken by the flight crew, in both cases lacking any sort of empathy and compassion for the battered and bruised passenger but did apologize for “re-accommodating these passengers”. In just 24 hours of this incident, United Continental Airline shares had lost $800 million dollars in total value.
CEO Oscar Munoz then made several follow-up statements shifting his tone to a more apologetic approach but his main stakeholder, the public, was not receptive to his sentiments, what occurred here is what can simply be called too little too late.
Since simultaneously circulating on social media, the lawyer for the battered passenger stated he has suffered from a concussion, a broken nose, and several teeth missing and he would require reconstructive facial surgery to repair the injuries sustained. United Airline demonstrated they had an unstructured Crisis Management Plan by how they responded to both situations and paid the ultimate price a major loss in company revenue and severe damage to their reputation.
In this article, we will examine the definitions of crisis management, the different types of crisis that can be experienced by organizations, and problems that can be experienced from having a poorly constructed crisis management plan. We will then examine the ten components that are needed to develop a well-structured crisis management plan. In addition, why an organization can use the ISO 22301 Security and Resilience — Business Continuity Management Systems, ISO/DIS 22361 Security and Resilience – Crisis Management, and the updated ISO 22329 Security and Resilience – Emergency Management.
What is Crisis Management?
Crisis Management (CM) is the overall coordination of an organization’s response to crisis, in an effective, timely manner, with the goal of avoiding or minimizing damage to the organization’s profitability, reputation, or ability to operate and often involves the need to make quick decisions on the basis of uncertain or incomplete information. Crisis Management includes the development of plans, based upon an integrated approach with internal and external interested parties, to reduce the risk of various crises occurring. The implementation of crisis plans will minimize the impact of the crisis you are dealing with and assist the organization to recover and restart its normal activities as quickly as possible.
Let us briefly examine what type of crisis can impact many organizations:
Organizational Crisis: Product recall, dangerous goods or material spills, general employee safety concerns, public relations blunders, active shooter incidents, acts of terrorism, civil unrest, and communicable disease outbreaks.
Environmental Crisis: Earthquakes, fires, floods, and hurricanes.
Personnel Crisis: Workplace violence, employee strikes, issues regarding harassment, senior leadership errors, omissions and wrongdoings, kidnapping or hostage situations involving traveling for work, illegal or unethical misconduct.
Financial Crisis: A drop in demand for the company’s product or services, bankruptcy, stock price concerns.
Technological Crisis: Cyber-attacks, data loss, mishandling of confidential or proprietary information.
One of the major elements missing in most companies’ Crisis Management Plan, is the lack of trained and competent Crisis Management Team members to manage incidents. This has been shown as the main drawback in managing various types of crisis. The Crisis Management Team is largely responsible for creating the Crisis Plan. All team members have input, and the team also consults other stakeholders, such as the operations staff and senior management. The plan spells out important roles in the crisis response and each person’s responsibilities. Without an effective and competent Crisis Management Team the development and execution of a well-structured Crisis Management Plan is virtually impossible.
Deborah Hileman, President and CEO of the Institute for Crisis Management stated that: “A good crisis plan possesses a variety of elements that prepare crisis team members to effectively perform their duties when a crisis occurs.”
The graphic above lets us examine the 10 key components of a well-structured Crisis Management Plan:
- Risk Analysis: Outline the scenarios you think your organization could be impacted by. Having a more specific sense of these potential occurrences will guide your planning. You do not need to include every conceivable risk, but cover a broad range, such as; a natural disaster, a cyberattack, a loss of utilities, a technology failure, a financial crisis, an operational accident, or a product failure.
- Activation Protocol: Include numerous event triggers for the Crisis Management Plan. Triggers in the crisis and business continuity context are the natural first reactions to an emergency by an organization and have a major numbing effect. Using tier levels of urgency (Tier 1, 2, and 3) as your criterion, define the circumstances that activate a particular crisis response. Based on the type or location of the incident, the protocol should also direct your staff on how to respond. The protocol should establish some type of communication that signals the end of a crisis, as well.
- Chain of Command: Include a crisis managementrelated organization chart in your plan, so it is clear who has final authority and who reports to whom. Creating a well-defined organizational chart that supports coordination and consistency, is something that some decentralized organizations sometimes struggle to achieve. Depending on the seriousness of the event, your plan may call for additional layers of command.
- Command Center Plan: Determine what will serve as the base of operations for the team during a crisis. The establishment of Emergency Operations Center (EOC) is critical for the Crisis Management Team to execute the strategic aspects of the crisis management plans. In addition to the primary EOC, companies must have an established secondary Emergency Operation Center in the event the primary location has been compromised by the crisis or incident.
- Response Action Plans: Organizations need to perform detailed planning around how Crisis Management Teams (CMT) will respond to various scenarios. This planning includes assigning responsibility for each task as identified. Think of these response actions as modular elements that you should employ as the situation requires, intellectualizing crises in a way that your crisis management can be made scalable and adaptable.
- Internal Communication Plan: An effective internal crisis communication plan ensures your employees are prepared for and actively help to mitigate or reduce crisis situations, and have the necessary information, processes, and channels freely available if anything happens. It is just of such importance that they understand what is expected of them should a situation arise. You must also establish ways to disseminate urgent information to all employees, such as using a notification provider to send texts and automated calls or implementing a method for your employees to check in and report their safety and whereabouts.
- External Communication Plan: Define plans for communicating with the public and other key external stakeholders or interested parties by appointing a spokesperson. Write detailed instructions, including whom you will notify (e.g., media outlets in a particular geographic area), also draft holding statements, the details of which you can fill in later, once you have the relevant information.
- Resource Management: The Crisis Management Team is responsible for identifying, organizing, and coordinating resources and logistical support needed during an organizational crisis. This can be broken down into two broad categories of people, equipment, and supplies that are needed to create an effective crisis communication strategy.
- Training: Being able to execute your crisis management plan quickly is paramount, therefore, holding drills and exercises with the Crisis Management Team is crucial to that goal. Rehearsals or even tabletop drills can reveal flaws in the plan, practice will help the crisis team become comfortable with their individual roles and work together. Make sure to stay current by doing regular training.
- Review: Create a structured review process in order to schedule regular follow-up enhancement regarding your crisis management plan. Organizations need to implement Plan-Do-Check-Act (PDCA) cycle which is the process that encourages continuous improvement of the organization, section, or department. Because of its emphasis on continuous improvement, it aids in the reduction of waste and maximization of efficiency, it has become an important element of the lean management system of organizations.
The Use of ISO Standards to Manage Crisis
ISO 22301 Security and Resilience — Business Continuity Management systems is designed to help organizations prevent, prepare for, respond to, and recover from unexpected and disruptive incidents, and a Crisis Management Plan usually accompanies this plan along with the IT Disaster Recovery Plan and the Emergency Response Plan. The ISO 22329 Security Resilience – Emergency management – Guidelines for the use of social media in emergencies. It gives guidance on how organizations and the public can use and interact through social media before, during, and after an incident, as well as how social media can support the work of emergency services. This standard is applicable to governmental and non-governmental organizations involved in emergency management and crisis communication. This standard aids the use in counteracting social media misinformation and disinformation which can be used to damage the reputation of organizations and requires a crisis management plan to deal with a structured response.
At present the ISO/DIS 22361 Security and Resilience Crisis Management Guidelines for a strategic capability is being developed and this standard is to aid in the design and ongoing development of an organization’s crisis management capability. It sets out principles and practices needed by all organizations.
As such, organizations should adopt a structured approach to crisis management by applying a set of principles on which a crisis management framework can be developed. This should include elements of organizational culture, leadership, competencies, and structure that supports the implementation of a crisis management capability in a purposeful, consistent, and rigorous manner.
We have seen how important a crisis management plan is to every organization. What is now becoming the norm, interestingly enough, is that most companies are creating an integration between their business continuity plan and their crisis management plan to increase the organization’s levels of resilience against all forms of crises and disasters.
Do not let your next incident, accident, or disaster leave you vulnerable, strengthen your preparedness with a well-structured Crisis Management Plan and utilize the various applicable ISO standards to ensure your plan is fit for purpose.