In this episode of the Managing Uncertainty Podcast, Bryghtpath Principal & CEO Bryan Strawser discusses what a successful incident or crisis management process looks like when you’re inside of an organization.
Topics discussed include: crisis management frameworks, leading in an incident or crisis situation, crisis management teams, executive crisis teams, global security operations centers, and communicating in a crisis
Hey folks, and welcome back to the Managing Uncertainty Podcast. I’m Bryan Strawser, principal and CEO at Bryghtpath. On today’s episode, I wanted to talk a little bit about what successful incident or crisis management looks like when you’re inside of an organization. When you’re a leader in a nonprofit, in a fortune 500 company, a public sector agency, that’s undergoing a major incident or a crisis situation. Whether you’re involved in the process or not, what does that look like? How do we know that that’s a successful incident management or crisis management process?
So there is a handful of things that, in our experience that we’ve identified that can really be seen inside of a company when we’re looking for signs or characteristics of a successful incident management process.
The first thing that we see is that there’s a radar screen. We’ve talked about this on previous episodes of the podcast, but there is a mechanism to detect incoming threats to the organization and this has to be really kind of a multidisciplinary look at threats, a holistic view of threats. It might be things like your cybersecurity detection tools being used by ISOC, or by an incident, an ISOC kind of team inside the organization. It could be proprietary global intelligence services that you use through third parties or an internal global intelligence team. It could be social media and regular media monitoring. It could be reputation management and monitoring. It could be your leading indicators of core business analytics like sales, shipping, your worst supply chain analytics and etc. But that you have these tools put into place where you’re able to see the incoming threat.
The second characteristic that we see in successful organizations is a rapid response process. And what I mean by that is that from the time that that threat is identified, there is a process that triages that threat to understand, it helps to understand the threat in the context of your organization and then activates or escalates this issue within your internal incident management, crisis management process. So there’s a way to, once that detection is made, to evaluate that, put it in front of the right folks for a decision and then escalate that process. The third is one of the most important and that is that there are clear roles and responsibilities in an incident. Who is in charge? How are decisions made? Who is informed? Who’s accountable for the process? Is there a crisis management team or some coordinating body that assembles? And even if there is a team that assembles, who’s in charge? We often build processes, crisis management frameworks where we have a cross-organizational team and middle management, some middle management layer. We typically assign a senior executive or a business leader to that team who is responsible for making decisions in that process or is the final arbiter of the decisions.
That next characteristic is exactly that. It’s that beyond clear roles and responsibilities that there is good cross-functional coordination. There’s a body, a crisis management team, a corporate crisis management team, an enterprise incident management team, you can call it whatever you want. But there is a body within the organization that gets together, that represents the business lines and all of the core support functions in the organization and that body, the body’s role is to coordinate in that major incident or crisis situation. The next characteristic we see in successful incident management processes is predefined decision-making rights.
So whether that is kind of encompassed in that clear roles and responsibilities or in that crisis management team or incident management team. Those decision-making rights are clearly defined within the organization. So when a key player, the CEO, the COO, the CFO, the chief security officer, the CSO, when one of these folks is out of the picture, that there are clear decision-making rights on who’s going to be able to make decisions in the organization and the scope of those decisions that they can make.
A few years ago, just to illustrate this, a few years ago, I was at a local presentation being done in an FBI InfraGard meeting here in the twin cities, Minneapolis and St Paul, where we had a government agency, a state government agency, cabinet-level agency and state government talking about a flooding that had occurred in their main headquarters building. And because the commissioner was out of pocket and not able to be reached and the deputy commissioner or assistant commissioner, whatever the right title was, was also out of pocket and couldn’t be reached. There was no one who was legally authorized under their regulations to declare a disaster and allow them to start expending money in order to respond to this incident. And they needed to make some decisions around sending people home and authorizing repair and flood remediation and some things. And the only way they were able to solve this was to send someone to go find the deputy who was camping in some remote part of the state in order to get a document signed and then respond to this situation that they had ongoing.
So this of course is different, a little different in government where there are some legal implications that might be defined in statute, but certainly for companies and nonprofits having clear decision-making rights in place and even for government agencies pursuing a legislative solution for this if necessary, so that you can make these decisions when the disaster hits. The next characteristic that we see is a good clear path of escalation for decisions. As we build crisis management frameworks, we always advocate for, as we mentioned, some type of cross-functional coordinating body, like a crisis management team in one of the middle management layers to take on a lot of the day-to-day operations for an incident or crisis situation. But what you do want is that there’s a clear path of escalation to get above that group to the executives for things that executives need to approve. That could be a significant expenditure, the closure of the facility, perhaps some, there’s an HR or benefits related issue or policy decision that needs to be made. Whatever the issue is, you want to have a clear path to be able to escalate decisions to the right body to make those decisions.
The next characteristic just revolves around having a single source of truth. We like to say there should be a single source of truth internally to an organization when there is a crisis, that is the sole source that is pumping out information. We usually advocate for this to be like a command center, a global security operations center or something similar to that, maybe you call it a war room. I know some companies have a reputation management war room perhaps. The goal here is to have some single source of truth that is the body within the company that is sending out updates on the situation and they should be the only body that is sending out updates broadly within the organization. If you have multiple sources of truth, you will have multiple sets of facts and multiple sets of facts will confuse leaders and others who rely upon that information to make decisions. So we want a single source of truth internally that’s publishing information.
And then finally, successful incident management and crisis management processes have a communications plan. There’s a communications element to their plan and that communications plan includes a breakdown of communication products, prepared messaging, communication templates, if that’s necessary and a process for which these communications are developed, reviewed and approved quickly within the organization. It is true, one of the pieces to push back, we get a lot from communications teams and we agree with this, is that every situation is a little different and I couldn’t agree more. However, there’s a number of risks that each of us identifies that are the things that are most likely to happen to our company. You should prepare to message, at least begin messaging, messaging templates perhaps even, for your organization based on those top 10, 15, 20 risks that you think are going to happen. You can fill in the blanks in those communications before you publish them. But the key messages are things that you can think about and plan out today and then review them every six months and make sure that they’re current.
Not having some preplanned messaging is a recipe for disaster because you will not have time to develop the robust communication plans at the moment in most of your situations than you would if you plan them out in advance. So these are some of the characteristics that we see when we’re looking at crisis incident management processes that we see in successful organizations. So again, a radar screen to see inbound threats, the ability to rapidly identify, triage and escalate or activate your process from the radar screen, the rapid response process, clear roles and responsibilities in an incident, a cross-functional coordination body, predefined decision making rights, a clear path of escalation for decisions, a single source of truth internally, and then a good communications plan with planned communication products, messages and templates.
So again, with our experiences, these are the characteristics that we see in successful organizations when it comes to incident and crisis management.
What are yours? Drop us a note at firstname.lastname@example.org and let us know if you have seen other characteristics of successful incident and crisis management organizations.
We’d love to hear your thoughts.
That’s it for this week’s episode of the Managing Uncertainty Podcast, we look forward to talking with you next week.