In this episode of the Managing Uncertainty Podcast, Bryghtpath Principal & Chief Executive Bryan Strawser discusses the need for rapid decision making and communications during a crisis or incident.
Reflecting on a year of crisis exercises, Bryan discusses crisis management, crisis communications, crisis management frameworks, crisis plans, crisis plan annexes, prepared crisis communications messages, holding statements and more.
Related Episodes & Blog Posts
- Episode #4: The Crisis Team
- Episode #19: Exercises are Boring
- Episode #34: Communicating after the Boom
- Episode #40: Why we exercise our plans
- Our Crisis Communications 101 Intro Course
- Bryghtpath’s Crisis Communications Services
Bryan Strawser: Hello and welcome to the Managing Uncertainty podcast. This is Brian Strawser, principal and chief executive here at Bryghtpath. I’m running solo on today’s podcast and I’d like to talk a little bit about the need for speed, so to speak, during a crisis or during a major incident. We’ve now facilitated a number of exercises over the course of the year. And one thing that we keep coming back to, coming out of these exercises is the need to get to a decision, the need to get the communication out, the need to make the strategic decisions that need to happen early in a crisis to set the stage for success. And so I want to dive into that a little bit and I think we’re clear about, I think everyone is clear about the need for rapid decision making during a crisis and the need to get your message out from a crisis communication standpoint once things start to become public or you’ve decided to make them public.
Bryan Strawser: But how does one achieve that? How do you get to that point in the crisis situation or in the exercise? As we’ve talked previously about how do you set up a crisis management team, an incident management team and kind of set the stage for this. It starts with having that basic crisis framework in place. That there are clear roles and responsibilities amongst the team on what every role or what every team does that they bring to the table. That you have created a decision making and communication framework that clearly lays out the decision-making rights of the individuals in the room. For example, who has to approve the activation of the crisis team, who is the final decision maker where there’s disagreement, who approves the communication, who needs to see that?
Bryan Strawser: Those are all basic things that should be in your initial crisis management framework and plan. And then once you have that in place, and we’ve always talked about at this point, you begin to prepare for known risks and threats. What are the five, 10, 15, 20 things that you think you are at most risk at or that your data says you’re at most risk to have happen? And now you start to build annexes to your plans, to your crisis management plan on how you’re going to deal with those specific situations. For example, the place I came from and worked for many years as the head of crisis management and overall crisis management plan and framework and that was augmented by a plan for hurricanes because we dealt with hurricanes across the Southeast and the overall East coast of the United States on a regular basis. And because that was one of our largest risks, we had fairly detailed plans about how to deal with that.
Bryan Strawser: In those plans, you should also have clear checklists and reference material by team and by role laid out in there for the folks bring to the table and begin to execute when those situations occur. For example, crisis communications in almost any crisis or incident, your communications or PR team, whatever you might call it, they’re an essential part of your process. They’re communicating, they’re are likely managing communication internally and externally through all of your internal channels. That could be your intranet, email, Slack, or Microsoft Teams or a similar tool. They’re managing your externally facing communications. Here are social media, direct interactions with the press, your website press releases. There’s a lot of different vehicles for them to share. You might have IVR messages for your support center. You might have to message within your application or your SaaS if that’s the business that you’re in.
Bryan Strawser: But your crisis communications team, at least for the things that you expect that you are at risk for, as you’re building these plan annexes should have prepared statements that at least serve as a starting point for these situations. That way when you’re in the incident or crisis situation, your comms team has a library of material to pull from in order to start that messaging process. They should have a solid holding statement that can be used early on, particularly if it’s something that comes at you with no notice and you’re forced to communicate some things before you really understand the full scope and scale of what’s gone on. Your holding statement can be something as simple as, we’re investigating an incident and we will provide more information as it becomes available. That we’re dedicating all of our available resources to managing the situation. Or it can be, we are currently working with law enforcement on a situation in one of our facilities, our thoughts and prayers are with law enforcement as they manage through this tragic situation.
Bryan Strawser: There’s a lot of possibilities for holding statements and this podcast today is really, this episode today is really not about how to write such a statement, but you should have them available so that your comms team can quickly respond as something happens. And again, as we’ve talked about previously on some of our episodes about reputation management in managing a crisis, if you do not say anything, if your answer is no comment or you can’t comment at this time, the press is going to write the story without you. It’s your chance to set the story, the narrative of the story, the way you want it to be. If you just no comment on the whole thing, it doesn’t mean it goes away. It means the press and others will tell the story for you and you miss the opportunity to at least, I won’t say spin, but to have an influence on the narrative that you want to have during that time.
Bryan Strawser: And again, this all has to happen quickly. As you think about what your plan annexes and your crisis communications plans should look like, you want the detail in there that enables the team to start with something, make appropriate changes for the facts of the incident and get the message out when your leaders are ready to give the thumbs up and go ahead. But having the plan written is not just enough. You have to practice the process of getting there because it will highlight your opportunities in how you expect the plan to work. And it will highlight for you where you have challenges in getting this done quickly.
Bryan Strawser: This is where the need for practice and realistic crisis exercises comes to play in your preparedness efforts. And you can start easy. You can start with a tabletop type of exercise where you’re just talking through what’s going on and you’re doing this cross-functionally within your crisis management team or your incident management team. But you’re talking about what’s going on and you’re getting familiar with each other’s plans and you’re talking about the interactions. And that’s a good place to start, but that is not the endgame for your exercises. You need to simulate and do realistic simulations over time so you get the team used to execute on the plan during the tabletop and we start to understand how information flows throughout the team. But then you need to move to a realistic simulation where you’re actually having to do the work. You’re having to write the communication. You’re having to make the decisions that will need to be made in the exercise.
Bryan Strawser: For example, just last week we were facilitating a crisis exercise centered on a data breach for a technology company and we were well into the exercise, several hours into a simulation. We were really not talking to the group at all. It was all being driven through injects and communication that was going on and calls from reporters and emails from reporters and there was a lot of kind of tension in the room. And in the simulation, one of the production systems that clients used was penetrated by a ransomware malware that carried a ransomware-type of encryption. And after a brief discussion, they made the tough decision and the tough decision was we’re going to disconnect the thing from the network because we can’t risk it spreading and it will give us a chance to kind of forensically examine what’s going on. And so they literally talked through with no plan to do this, by the way, this was part of their decision-making process. How are we going to disconnect this thing and then begin forensics examination and attempt to recover and make a better decision about what to do?
Bryan Strawser: That was a decision made in the moment that I thought was well executed in terms of discussion and the decision from the team. But we would never have gotten there in a tabletop simulation. It was the real moment of, oh gosh, this has gone farther than we expected. And now let’s talk about what do we do? Well, we should disconnect the thing, and then we can kind of go on from there in terms of what’s next in the simulation.
Bryan Strawser: Again, I think you have to practice this for real. You have to write the communications, you have to make the decisions in the moment according to what your plan calls for. But our kind of path I think for exercises is you start with tabletops and kind of learn what those team interactions look like and what’s in each other’s plans. Move to realistic simulations where you’re actually practicing realistic scenarios and having to do the work, write the communications, publish the communications, make the decisions. And then I think you move to unannounced simulations that are realistic, that contain the kind of slow build that a real incident does. And see it, do you take the preparation steps that you really need to take as you begin to see the warning signs and early indicators that something’s going on?
Bryan Strawser: If you don’t have a crisis communications function in your organization or you don’t have crisis management expertise that’s on your team, I think that’s okay. It’s not a common thing in a small to medium enterprise to necessarily have that kind of specialization within your organization. Then hire someone to help you. Bring in an expert to consult or be available to help your team develop the skills that they need, the muscle memory that they need to conduct exercises like this that help your organization mature and grow in their crisis management and communications capability.
Bryan Strawser: Again, clear roles and responsibilities. Be prepared for known risks and threats. Have a good decision-making framework. Practice your plans, starting with tabletops and then move to realistic simulations. And then unannounced realistic simulations or fully integrated exercise if you want to follow the FEMA and DHS terminology. And if we can help you in any way, develop your exercise strategy, conduct exercises or coach your team through some of these things, drop us a note at firstname.lastname@example.org or via phone at (612) 235-6435. Thanks for listening. We’ll have a new episode next week.