Crisis management after COVID
Modern crisis management in corporations should leverage the existing leadership structure. Lessons learned in crisis management during COVID indicate that the emergency management structure of the Incident Command System (ICS) is not a perfect fit for large corporations. Instead, a hybrid approach is more successful. Process owners should continue to provide expertise (cybersecurity, business continuity, crisis communications, etc.) but take a collaborative approach to preparedness and response. Doing this is especially important when the risk crosses multiple areas. Adopting a less segregated approach empowers process owners to retain their competency while leveraging the combined strength of various disciplines.
Notably, an aligned framework provides clarity for executives. Instead of adopting multiple governance structures, it emphasizes a single chain of command. Using the same system is helpful because it is easily understood and executed. A single pane of glass approach provides management with transparency and increased efficiency in strategic decision-making. It also preserves the expertise required to deal with specialized threats. In large organizations, working nimbly on behalf of the business is vital. Process owners fail when they do not include essential players to support business operations. The pandemic taught us that organizations must take an agile approach to crisis response.
A clear chain of command is appropriate
In crisis management, leaders must allocate the appropriate level of autonomy to process owners to manage events at all risk levels. However, events like COVID demonstrates the need for transparent processes to engage business units and leadership. An established core team of executives for critical incidents is crucial for effective response. The fundamental principle of an incident command system is to ensure a chain of command. I do not suggest removing a decision-making hierarchy that leverages the internal power structure. However, as I mentioned above, modern crisis management in corporations is more effective when executives are engaged in strategic decision-making. ICS works well for first responder and hospital groups, but implementation is unnatural for large businesses with complex operating models.
Companies must remain vigilant to threats from perils like natural disasters, cyber-attacks, network, and power outages. Practitioners remain vital to educating, exercising, and preparing the organization for events. I suggest that companies increase their efforts to collaborate across departments to share risk data and intelligence. Testing your crisis or recovery teams alone is no longer good enough. An annual tabletop exercise does not achieve the organizational resilience needed in a post-COVID world. Instead, businesses should consider scenario testing and cross-departmental exercising.
Managing an incident is a hybrid approach
The field is trending towards increased systems use and employing artificial intelligence (AI). Modern crisis management in corporations should utilize available technology tools and continue to leverage the expertise of professionals. Technology can replace or augment limited resources. Instead, I advocate employing best-in-class platforms along with subject matter experts.
Tools help to conduct initial risk assessments and triage threats. Today’s intelligence tools are helpful to aggregate large data sets. Ideally, the best platforms are tuned to an organization’s risk criteria with real-time monitoring to mitigate impacts. Responding to risks becomes more efficient as we better understand potential operational interruptions. It also improves the crisis team’s capacity to safeguard employees, vendors, and customer safety. An analyst or assessment team should run the data, identify risks in real-time, and supply situational awareness. I suggest utilizing both tools and people to augment emergency response.
Response flexibility is critical
Learnings from COVID and other significant disasters during 2020 showed us that evolved flexibility in planning and response is required. Few people anticipated the true global impact of the pandemic. Other crisis events in 2020 hardened my belief in the need for multidirectional crisis teams. By this, I mean that plans continue to be essential but having the agility to adjust on the fly is vital for successful outcomes. I see plans as frameworks for crisis response that are added to or modified based on the situation.
Business continuity planning and crisis response teams need to work together. Additionally, cross-functional teams should connect and align in the best interest of the entire organization. However, threats like cyber-attacks benefit from smaller and confidential response teams due to the specialized risk. It does not preclude representatives from other domains from being involved at the appropriate points. For most threats, de-centralized crisis response teams should coordinate. As I stated in my blog, A Customer Focus Means Enhanced Resilience; future success relies on interconnected and nimble crisis response teams.
Emerging threats must be constantly evaluated
Dashboards, AI, and real-time intel enhance our overall situational awareness. However, our new reliance on technology-based tools can have a downside as our greatest emerging threats post-COVID are cyber-attacks and network and power outages. My only caution is to use all available sources but continually evaluate how your team would respond to risks if systems go down.
Many of you know I am not a fan of plans but planning. As important as business continuity plans develop, it is crucial to evaluate threats and conduct weekly horizon scanning. It is no longer enough for crisis teams to be activated when an incident occurs. Instead, modern crisis management in corporations should integrate crisis management in alignment with preparedness processes.
The new best practice is a unified approach
With the increasing number of events and emerging risks categories, teams must work across departments. Working in a bubble is no longer viable when you realize threat actors are discipline agnostic. For example, eco-activism is not simply a security risk. Activists employ multiple techniques to influence companies from various channels. They show up to protest offices, use calendar jams, spam email, flood call centers, and lobby employees to join their cause. A company can face security, employee safety, reputational, technology, and continuity threats in this situation. For this multipronged threat, you want members of your crisis communication, legal, cyber, technology, business continuity, and crisis management teams involved.
An agile command hierarchy is crucial for successful preparedness and response efforts to mitigate damage. It also can shorten recovery times. In my recent webinar for Continuity Insights, Evolving Crisis Management Post-COVID, I discussed that taking a cross-functional approach breaks down silos. Doing this will build a more effective crisis response and increase resilience.