There’s good reason for organisations to be concerned about the potential threats they face. A brief look at local, national or international news highlights that organisations face a range of threats, from disgruntled clients to a damaging cyber-attack or even civil unrest.
Managers are likely to navigate at least two or three major crises during their professional lives, and the way they respond could make or break their careers. Determining whether or not your organisation is likely to be a target for a malicious actor is not an exact science, but looking at previous incidents does give us some insight.
For example, an increasing number of terrorist attacks are 'low complexity' operations that target densely populated, publicly accessible locations. And clearly organisations that are designed to welcome clients onto their premises have an inherent vulnerability to this type of attack. Restaurants, hotels, event venues and shopping malls must all balance welcoming customers with keeping them safe.
Organisations or businesses that are located close to a high-profile or target location, such as a government building or other critical national infrastructure, face a ‘location-based risk’, where they may be collateral damage in a nearby attack.
Another trend that has emerged recently is the increase in incidents of civil unrest and criminal damage. In the case of strikes, riots and civil commotion (SRCC), while a protest may start in one place, it will ebb and flow depending on street layout, police response and crowd dynamics. Businesses along the route of SRCC could be targeted due to simple proximity, their brand and reputation, or even the value of the goods on display.
These trends illustrate the complexity of risk management for a business, but what can you do as a business leader or manager to make sure you are appropriately prepared should the worst happen?
The key is to have a plan before a crisis unfolds. Organisations should have well documented policies and procedures around crisis management, including business continuity and incident response plans. In well prepared organisations there is also likely to be a crisis management committee who could provide further information.
Once you have familiarised yourself with your organisation’s policies and procedures, it’s important to understand your responsibilities as a manager or leader. If you are unsure, contact the responsible person within your business. You’ll be asked to engage in any rehearsals or training and ensure your team is similarly well briefed. Become familiar with the different types of incidents and how your role may vary.
A rapid onset crisis, such as a marauding assailant will require an immediate and quick response from staff on the ground requiring junior staff to have the delegated authority and confidence to act.
In contrast, a slower burn crisis such as a data breach, adverse publicity or reputational threat may need a more considered response and is likely to be managed by a specialist team or committee. This is where the combined skills of the crisis management team can help prevent an incident developing into a company-wide, existential crisis.
When building a crisis management plan, it’s important to build connections with:
- Key suppliers: to understand their business continuity plans should their core business “go down” and impact your ability to serve clients.
- Neighbours: to co-ordinate plans should an incident impact a broader area.
- Emergency Services: Large or critical businesses may seek to undertake joint tabletop exercises to understand how to dovetail their company response with official support.
- Insurance Providers: They may include response services to both cyber and physical incidents within your policy. Understanding what support they can and cannot provide and building a relationship in advance will help you work more seamlessly in a real event.
The risk environment is not static, so plans should be reviewed on a regular basis. Plans should be supported by training and rehearsals, making sure to involve all the relevant people so everyone understands their role.
And finally, building internal and external connections ahead of time will clarify responsibilities, where to get support, and how to escalate should it be required. These steps will ensure managers are properly prepared in a crisis.