We’ve talked on several previous episodes about the need for a single, defined crisis management framework in an organization.
In Episode #59 of the Managing Uncertainty Podcast, Bryghtpath Principal & CEO Bryan Strawser and Consultant Bray Wheeler go deeper into this need – and talk about the need to integrate all of an organization’s various incident management processes into a single unified crisis management framework.
Relevant previous episodes:
Bryan Strawser: Hello and welcome to the Managing Uncertainty podcast. This is Bryan Strawser, principal and CEO here at Bryghtpath.
Bray Wheeler: Hi, this is Bray Wheeler, consultant at Bryghtpath.
Bryan Strawser: And today we’re going to be talking about having a single, unified crisis management framework. And I guess I’ll sum the problem up because Bray and I were talking about this on the ride back from lunch today as we were struggling to figure out what to talk about on the podcast. And one of the things that we hit on is that we often see the issue in organizations that organically, for all the reasons that seem like the right reason at the time, a lot of companies wind up having siloed incident and crisis management processes that are totally rooted in the kind of problem that a single organization and the company has to deal with.
Bray Wheeler: Yes.
Bryan Strawser: And, over time they come to realize that they need other teams involved in that process. So what happens is, and I’m just going to pick on my two favorite people to pick on, physical security or corporate security and information security or cybersecurity, that they probably have in most companies, separate incident management processes, and then almost are definitely going to have separate crisis management processes.
Bray Wheeler: Most likely.
Bryan Strawser: And let’s say that both things happen in the same week. So the physical security, the corporate security team is dealing with a homicide, the cybersecurity team is dealing with some type of data breach. They’re probably sending out two different communications that are not coordinated, that have different templates, that have different people at the table to make decisions, maybe not the right people, and not everyone is being informed in a consistent manner. And at the top of that food chain is a CEO who is getting one set of comms from here about one incident and a different set of comms from here about a different incident, and says the infamous WTF, what’s going on here?
Bray Wheeler: Yep. They look different.
Bryan Strawser: They look different.
Bray Wheeler: They talk differently. They’re using different language.
Bryan Strawser: Maybe one informed me and maybe one didn’t.
Bray Wheeler: Asking me things or not asking me things.
Bryan Strawser: And I don’t know, what’s my role supposed to be?
Bray Wheeler: Yep.
Bryan Strawser: You can’t see me because I’m raising my arms up in the like, “What?”
Bray Wheeler: He’s gesticulating.
Bryan Strawser: What? What’s going on? So, how do we solve this problem? What do we want companies to do?
Bray Wheeler: I think the big thing is, it’s not inherently bad to have different response systems to, as we’re picking on physical security and information security because they’re inherently different types of problems.
Bryan Strawser: Absolutely.
Bray Wheeler: However, when we get up into a certain threshold, and however that’s defined within the organization, and probably one of the challenges is defining things similarly, you have a threshold that when it is crossed there, that it becomes an enterprise problem, an enterprise response to something. So that way it has a consistent look and feel. It has a consistent inform process, an escalation process, a de-escalation process, a review after-action process that all those things walk and talk similarly, regardless of what the problem is so that the C-suite, the execs, all know, “Okay, I understand what’s going on. Okay, I understand what’s being asked of me. Okay, I understand what’s coming next, even if I’m not in it day-to-day.” And throughout the organization, it starts to build that culture of, “We know what to do,” because of a lot of times, to your earlier point, it’s not even just the execs that are called in. A lot of times these processes could be pinging the same communications person.
Bryan Strawser: Well, yeah I was about to say, I mean it’s all-
Bray Wheeler: It’s an HR person.
Bryan Strawser: All of these crises, all these incident types, there’s a communications element to the whole thing, and so comms is going to get pulled in multiple different directions as you go through that. I mean, what we preach I think consistently, and we try to guide our clients towards is that you want a single, unified crisis management process for the organization. You may have some debates about what’s an incident and what’s a crisis or what’s an event, what’s an incident, what’s a crisis if I use the kind of ITIL terms for IT incidents, but, or even disaster comes into play in a term, in the world that we live in.
Bryan Strawser: But just think about in the generic discussions we have with companies when we teach how to build a crisis framework, we talk about five types of incidents, just kind of generically. That companies have operational incidents, so there are disruptions to your business. There are IT or information systems incidents. Those could be cyber incidents, or they could be a tech problem. You have security incidents, physical security incidents, you have may have a financial incident like a liquidity problem. And don’t tell me that’s not a crisis, that is a huge crisis for companies. And then all of these have reputational components, but you also have a reputational incident. You could have executive misconduct, you could have some 2-year-old intern, got the keys to your Twitter account and posted something dumb. I mean, there’s a lot of things that can happen there, but there alone are five types of incidents before we even get to what industry sector are you in and does that generate particular types of issues? All of those can become a crisis.
Bray Wheeler: They can. And it’s one of those things where if you’re not, this is where culture matters with a lot of this stuff, and having some unification of how you’re defining things, how you’re organizing yourselves, how you’re building on each other matters because it’s, as things come through, it may manifest as, to pick on reputation a little bit, it may manifest as a security incident. Security incident’s resolved through the process, it escalates up kind of in that response, but how the company handles it, something that happens, some statement somebody makes, all of a sudden makes it a reputational issue.
Bray Wheeler: Who’s running that? Physical security isn’t going to feel equipped, and they’re going to feel like their job is done and now all of a sudden it’s a reputational piece. Who’s on point? Does it start over? Does somebody have to now pick this ball up from scratch and go? Whereas if you have that unified, if you have a consistent escalation process within the company, there’s kind of a sense of, I don’t want to say comfort, but a sense of confidence in terms of, “Hey, the security part of this is over, but we’re still all engaged and still responding to the reputational component of this, and still managing that through its conclusion,” in air quotes.
Bryan Strawser: Well, and I think some of these situations have multiple dimensions to them anyway, which is why we always talk about having a cross-functional crisis team. But I remember years ago when I was at my last employer where we had a reputational issue going on that led to in-person protests at locations, at the company’s locations. That’s no longer just a communications problem. That’s now disrupting the business, endangering customers. It requires physical security to be at the table, but it was difficult to get a seat at the table because everyone perceived this as, “Well, this is the reputational issue.”
Bray Wheeler: Yeah.
Bryan Strawser: It’s bigger than that.
Bray Wheeler: You start to put other functions of the business at risk. Or you’re putting it in their hands because you’re so focused on trying to manage media or manage a conversation with another organization that you’re ignoring kind of those folks on the ground that are just trying to run the business, but now they’re speaking for the business. And if they’re not armed, if they’re not aware, if they’re not feeling confident in what the organization’s trying to do or what they should be saying, it starts spinning. And now not only do you have a localized, or not only do you have kind of a bigger issue, but you have also localized issues. Or you have a feeder into that bigger issue that just keeps compounding itself.
Bryan Strawser: Yeah, I think we keep preaching the idea that a crisis is a crisis. How you got to be in the crisis doesn’t really matter. The general processes that you’re going to use to collaborate across the organization, across the silos, right? To make the right decision, to communicate the results of those decisions, to get buy-in from your executive leadership or to escalate an issue to executive leadership, those are, to me, those are unchangeable regardless of how you got to the crisis, right? You may have specific actions that you want your crisis team to take based on the type of incident that you started with.
Bray Wheeler: And that’s important.
Bryan Strawser: And you will. You will. If it’s a cyber incident, you’ve got regulatory requirements regardless of what industry you’re in. You may have a data breach notification provider you need to spin up. There are things you’re probably gonna have to do that are unique to that type of crisis. The same way that if you’re dealing with an active shooter incident, there are some things you’re going to need to do that are unique to that type of scenario. But that process of getting together and making decisions and communicating those decisions, it doesn’t differ.
Bray Wheeler: No, I mean at the basic level, it’s the right people in the right room able to make the right decisions.
Bryan Strawser: Yep. Clearly defined roles and responsibilities, escalation pathway to senior executives. The same things we always have talked about when it comes to a crisis framework.
Bray Wheeler: And I think that’s part of what we touched on too, and to get into some of that is there’s a couple of different things at play, too. There’s assuming positive intent with some of this too, that some of these functions, if there is a sense that, “Hey, this process doesn’t really account for my kind of business area and what we deal with,” they’re feeling obligated to put something into play. Or if there is a sense that, “Oh, well there’s a perception that that team only deals with hurricanes,” because that has been the big issue for the last three or four months. There’s been three or four big hurricanes and weather and things like that. “Oh, they just do the weather. They don’t do all that other stuff.” So there’s that sense of positive intent, too, that people are just trying to solve those problems, but it can’t just live in that world. And I think a lot of those functions have to be open to the fact that there are lines. There does need to be some common definitions, even if they differ a little bit in terms of the specific area that we’re talking about. You do have to reach some thresholds of, “When it hits here, we’re going to get together in the room and figure out, is that where it is? Does it need to go higher?” Or, “Your organization’s got it? Great. We’ll just be on standby.”
Bryan Strawser: Totally agree with that. Totally agree with that.
Bray Wheeler: I will say, part of what I think especially bigger organizations run into, because they are big, they’re more complex. There’s more just inherent bureaucracy, organizational kind of spread in terms of people’s focus areas. It’s important if your company does have a crisis management or response focus that those teams are not only talking to each other but if there is one kind of master process, that it’s constantly kind of refreshing itself and evolving to what those risks are within the business. That it’s constantly raising awareness to, “Hey, this company has this process and this is what we do for X company.” That way you’re building that awareness, you’re building that culture, you’re building that, “Oh, something happened. I bet you that team is on it. I bet you that function is on it. Oh, I know they’re responding to it.” Or if you’re in a different organization, “I know where to go. I know what’s going to be expected of me when we raise something up.”
Bray Wheeler: I think it’s just as important as kind of bringing everybody to the room. It’s kind of constantly reinforcing that, because if you don’t have an incident for awhile that raises to kind of your upper levels, out of sight, out of mind. People start forgetting. And then you start running into, “Well, we got to create something,” or, “what does it we do?” And you get out of practice.
Bryan Strawser: Yeah, I agree. I think that the broader base of crisis situations is a better approach in terms of having those things flow into your crisis process and that you’re seeing that consistency in how this is getting handled, how it’s being communicated, and the value that places on kind of your centralized crisis team or command center, security operation center, whatever is kind of at the heartbeat of making this place happen, making this process happen.
Bray Wheeler: Yeah.
Bryan Strawser: So that’s it for this edition of the Managing Uncertainty podcast. We’ll be back at you next week with two episodes. Our BryghtCast episode focusing on recent events and what it means for private sector organizations, and a deep-dive into another topic. Thanks for listening.