Is the Crisis Management ISO Valuable?
A few weeks ago, I shared a blog post asking Is ISO 22361:2022 CM Worthwhile? It was a preview of what I saw on their website. As promised, I am doing a deeper dive. Of course, I can’t share every aspect of the guidance with you, but I can provide an overview of the committee’s goals. Finally, I will give my opinion on what it means for practitioners.
The International Organization for Standardization (ISO) is a worldwide federation of national standards bodies. They aim to help businesses establish a framework for various operational areas. The challenge with any document of this type is that it can be pretty general. When I started in this field, I wanted people to tell me how to do things. I searched for templates (spoiler: watch for those next year) or step-by-step instructions. Of course, as I matured as a professional, I learned absolutes were impossible because each organization is unique. However, at times, I would still like a starting point.
Crisis Management Frameworks
What I appreciate about the guidance is its focus on successfully developing crisis management capabilities within an organization. It accomplishes this by laying out four fundamental pillars. These are the elements outlined in the guidance:
- A committed leadership;
- Structures (e.g., funding, communications, relationships and linkages, equipment, facilities, information management, principles, and procedures);
- A supportive culture (e.g., values, ethics, code of conduct);
- Competent personnel (e.g., knowledge, skills and attitude, flexible thinking).
Additionally, the interplay between other disciplines is stressed. Implied is that different groups, like risk, business continuity, security, etc., must work together to support a resilient organization. It also recognizes that response cannot be accomplished in a fishbowl. Instead, the company must support organization and dedication. In short, a framework is established and maintained.
The Success Target
To support the standard, a visual was developed that explains the capability. An interconnected matrix of principles, framework, and process is bound by continuous improvement. It sets a successful foundation and ongoing capacity. The guide maintains these aspects must work together. The bullseye is an improvement mindset. It’s a recognition that, as with resilience or risk, the work is never completed but ongoing.
Next, the guide is framed to outline an ideal structure. Then, it provides a deeper dive into what is meant by crisis leadership, strategic decision-making, communication, and the improvement cycle. A vital aspect is the standard’s definition of capability. It is defined as the “ability to accomplish an undertaking with a defined intended outcome and within specified conditions,” It’s a little vague but broad enough to be retrofitted to many circumstances.
An Attempt at Clear Definitions
Another aspect of ISO 22361 that I applaud is providing a definitive definition of crisis. It’s an “abnormal or extraordinary event or situation that threatens an organization or community and requires a strategic, adaptive, and timely response to preserve its viability or integrity.” Additional references for the management team, activities, and planning are also provided. Of note, an incident is defined as an “event or situation that can be or could lead to a disruption, loss, emergency or crisis.” Too often, I see the two confused.
Next, the critical characteristics of a crisis are outlined. An in-depth review of the differences between incidents and crises is summarized. The committee recognized that “an issue could escalate to an incident, then a crisis.” My recent experience is that some undue confusion has occurred among resilience groups when the distinctions are unclear. The ISO does an excellent job of tying issues, incidents, and crises along a continuum from low, nominal impacts or complexity to the extraordinary strategic response that crisis requires, as they are infrequent events.
Principles and building capacity
The standard then attempts to establish guiding principles for crisis management. It recognizes that disasters can arise from various causes. Then, it lays out the need for good organizational practices and challenges created by poor governance, inadequate workaround strategies, overcomplication, and weak controls. Interestingly, it dives into the dangers of negative behaviors, lack of supervision, poor training, and other human factors that negatively impact the outcome of a mismanaged event.
In my opinion, the ISO recognized that the discipline needs programming throughout its lifecycle, from the planning stages to the need for after-action debriefing and training. Regardless of the terminology, the need for program governance, building strategic capabilities, engagement in risk management, and effective decision-making are all indicated. Beyond that, the guiding principles are a process for successful crisis communications, a grounding in ethics, and openness to learning.
No ICS or AIIMS Anywhere
The guidance indicates what aspects of crisis management are vital to successful implementation and delivery. These include clear activation triggers. Then, the ISO recommends that those involved in the process clearly understand the goals and know how to deliver the framework. It translates to understanding the principles and supporting the organizational strategy. Interestingly, it does not indicate a preferred method for implementation, such as Incident Command System (ICS) or another control system. Instead, it implies that it is up to the organization to decide.
In the standard, the importance of an established framework, leadership buy-in, structure, cultural inputs, and competence are laid out. Next, a process for crisis management is identified. A chunk of the guidance outlines how these aspects can be adequately accomplished and the attributes to support it. It’s hard, of course, to summarize it without quoting the entire document. But hopefully, this provides you with an overview. What the guide does well is diagram structure and process in a way that allows room to implement in any organization.
Making the Crisis Management Cake
The standards are meant to standardize complex topics for general use. They are not recipe books to make a specific cake. Instead, the structure for a book’s worth of different cakes could be made. For example, almost every cake needs flour, eggs, sugar, baking powder, soda, and salt. As practitioners, we decide whether it is a vanilla, chocolate, carrot cake, etc. It’s a simplistic analogy, but I hope it gets to the heart of the matter. ISO can’t tell us how to run our crisis management programs. However, they can give us parameters for making the best cakes. It does a solid job of laying out the criteria for crisis management in today’s workplace.
Overall, I am good with the guidance. It provides some in-depth strategies for a crisis management workflow, for example. And it outlines the necessity of developing competency through training, exercising, and continued evaluation. It even provides bullet points on what makes a good crisis leader and the hard and soft skills those individuals need. What it doesn’t do is impose a rigid system of organization that must be followed.
The Standard is a Good Step Forward
It references ISO 22329 for Emergency Management in the bibliography and as a related discipline. Instead, this standard recognizes crisis management as a standalone discipline. For purists, this may irritate, but the ISO does point to ISO 22301 for Business Continuity Management Systems. So, it does not provide absolutes but is a sound basis for best practices. That’s all I expected.
What’s Next for Crisis Management?
I expect some debate, just as there is with resilience (see Marcus Vaughan of iluminr’s blog What on Earth is Going On?). Everyone has their spin on the topic. The ISO attempts to create common ground for professionals and leaders to agree upon. It does not say how your crisis management team must be organized or who your crisis manager should be. Instead, it tells you effective crisis leadership understands the core principles of crisis response.
Then, it suggests how to execute responses and manage crises programmatically and successfully. Otherwise, the rest is up to us as we navigate our organizations’ needs, values, and culture. It empowers us to develop what makes the most sense for each unique business. There was a time when I wanted absolutes. Now, I appreciate the flexibility embedded in the ISO.
Gratitude and Final Thoughts
Thank you to the Technical Committee (ISO/TC 292) and the European Committee for Standardization (CEN) Technical Committee CEN/TS 391. I’ve learned it is never easy to get a group of strong-willed, dedicated people together and get them to agree on anything. So, you’ve done a massive job creating the first edition of ISO 22361. Bravo. For my fellow practitioners, look at the guide and let me know your thoughts. I know I’ll digest it further as I consider the practical applications.
I advocate for the separation of crisis management and business continuity planning. Business continuity focuses on functional recovery, whereas crisis management seeks to limit damage to an organization’s assets when the worst occurs. The Business Continuity Institute (BCI) recently commented while sharing the Resilience in Conflict Report that an increasing number of professionals are filling the dual role of planning and crisis management. That’s concerning to me, although I have direct experience with it. Instead of value-add, I believe it ultimately dilutes focus.
It is good news from a resilience perspective that 49.6% have a centralized crisis management function. It is a vital function and partner in building ongoing resilience, providing critical support to address many escalating issues that today’s businesses face. From reputational crises to pandemics, crisis management is more than the traditional response to facility events. The launch of ISO 22361 is a good step in acknowledging that crisis management is not just emergency management in today’s organizational environment.
Purchase ISO 22361:2022.
Did you know?
Disaster Empire blogs contain embedded links to source materials, articles of interest, videos, books, and training I recommend you check out to expand your knowledge base. Just click on the blue embedded link to access the resource.
Charitable Giving Opportunity:
- Overwatch Foundation – I recently became aware of this group of US Military Veterans providing critical natural disaster relief & urgent humanitarian response to those in need from an episode of the Shaw Ryan Show. Overwatch supports soldiers in Ukraine and ran a mission for Hurricane Ian in Florida. Check them out, and please give if their work resonates with you.