Crisis Management "Expect the Unexpected".
by kimberley a. herndon
ANSWERS Risk Management & Personal Protection Consulting
*See our quiz at the end of this article to determine your risk management savvy.
To quote American Quaker poet, and fiery politician John Greenleaf Whittier, "Each crisis brings its word and deed." A crisis can consist of a laid off employee who appears with a firearm, an executive who receives death threats from an ex-girlfriend, the theft of sensitive company information, or a devastating flood. The key to crisis management is critical thinking--analyzing risk and planning ahead for it.
Once a crisis has developed, it is too late for prevention, and we are left with "damage control", with the assistance of law enforcement officials, mental health officials, medical personnel or private special ops teams. The old Boy Scout motto, "Be prepared," is the watchword for what has become a multi-million dollar industry encompassing information technology security, personal and physical plant and home security, workplace violence prevention and disaster preparedness.
Crisis management is, by its very definition, a means of controlling, as much as possible, the unexpected. In order to meet this goal, a good crisis management plan should involve three stages:
1) evaluation and assessment;
2) instituting a plan covering possible exigencies; and
3) testing the plan.
Determine Any Immediate Danger
The first step in a good security assessment involves working with the client to determine areas of critical risk or immediate danger. Immediate danger requires an immediate working solution. Do not delay! This solution does not necessarily have to be elaborate, or permanent--simply effective. For example, this may include temporarily recalling an executive from an unstable international environment, assigning security guards to protect a particularly sensitive area of value within a company, providing personal protection specialists to watch over a loved one, or installing temporary electronic detection systems to prevent tampering with equipment or vehicles. The basic idea is to stop anything drastic from happening while sorting out the larger picture. No long-term projects are instituted during this phase, because upon further reflection, the "game plan" may consist of more effective long-term solutions.
For example, a crisis management professional met with the department heads of a company involved in a national security project, on the first morning of working with the new client. During the meeting, it came to light that an employee had been receiving death threats from an ex-boyfriend, who happened to be a former employee of the company. She had filed a restraining order against him and he was forbidden to come anywhere near her. This was unknown to security personnel at the facility (but known to the head of human resources). The ex-boyfriend had been seen in the building behaving strangely the previous day by security personnel and had informed them he was "just visiting"! Upon learning of the situation, the crisis management specialist immediately assigned armed guards to the front entrance of the building, controlled access to all other entrances, and had the woman escorted to and from her vehicle. These are the kinds of actions that constitute crisis management. The professional simply knew enough to connect the series of "dots" necessary to form a bigger risk "picture".
One of the great benefits in hiring a risk management professional is that an "outsider" often sees things that are otherwise missed. We tend not to notice what we see every day, making a fresh, professional prospective invaluable. A crisis management professional once noticed that each day after lunch, the area leading to a company's cafeteria was locked behind a retractable fence, to keep theft of kitchen supplies to a minimum. It was also noticed, however, that that area housed the company's fire-fighting gear for that entire general area. The professional telephoned the company president and received permission to hold a surprise fire drill, notified the fire department that it was a drill, and pulled the alarm. It was quickly ascertained that the company's internal fire fighting team had no clue who held keys to the gate or where they might be located. After paging the maintenance crew (who were at lunch) for keys to the area, the fire-fighting team's "response time" was approximately an hour and a half. They also had no idea now to turn off the alarm.
Step One: An In-Depth Assessment
After applying an effective "quick fix" to any areas of immediate security concern, the next step is an in depth assessment. This step involves analyzing physical security, including potential for intrusion, as well as intrusion prevention systems, both physical and electronic. The professional will determine the type and appropriateness of the background investigations regarding new hires, examine the entry screening of persons such as outside vendors or delivery persons, and determine the training levels of relevant personnel--both heads of departments and security personnel. He or she will not rule out training for the individual client. An educated, trained and informed person is a much safer one.
The analysis will examine personnel policies and establish training for human resource employees in appropriate ways to handle "front line" issues. Often the human resource department is the first point of contact for a potentially serious problem. Extra physical protection for this department is often prudent, as well as for high profile company executives who are often first-line targets.
Employees or staff should be taught that there is no such thing as a "dumb question" and that bringing up something that seems out of place or suspicious is not only tolerated, but highly desirable. An attacker or assailant of any kind preys on gaps in security and on lack of effective teamwork. Lines of communication should be evaluated, as well as actual methods of communication and backup systems; an independent system should be in place that allows for instant communication to all members of a household or company in the event of an emergency.
Information loss is another area that requires scrutiny. Loss of information creates a situation of danger and liability for both company and individual. In a recent medical provider lawsuit, a company's subcontractor gained access to the company's client list without a non-compete agreement in place, cancelled their contract with the larger entity, and marketed direct services to every client on the list. The crisis management professional will evaluate the potential for "leaks", and train staff regarding these issues. Instituting a "zero tolerance" policy for leaks of sensitive information, such as schedules of those being protected, security procedures, engineering developments, company vulnerabilities, etc. is essential. A crisis management plan will evaluate all areas of personal, physical and information related security.
It is also essential that danger from natural disaster not be overlooked as a form of security risk. A good crisis management plan will include fire and weather preparedness, disaster plans, equipment and maintenance checks, and evacuation procedures. For example, on Saturday, May 9, 1992, the Westray Mine in Pictou County, Nova Scotia blew up, killing 26 men. The explosion was so strong it destroyed the mine entrance a mile above, as well as steel roof supports throughout the mine. In local townships, windows were shattered and houses rattled on their foundations. The explosion was largely attributed to poor evaluation of the dangers of naturally occurring coal gases emitted in the mining process, and poor installation of appropriate safety equipment. The mine ceased operations and went bankrupt.
Step Two: Find Workable Solutions
After the assessment phase, and potential threats have been determined, the professional will institute a global risk management system to include damage control (if necessary), employee training, personal, information and facility protection, and security countermeasures. Countermeasures are often a matter of common sense. How many of us have ever laid a long wooden stick in a sliding glass door to block a potential intruder? Crisis management applies these common sense principals on a more comprehensive and professional level.
Although the solutions to individual problems are too complex to address in this short article, and no one person can possibly be an expert on all areas of security and personal protection, the "pros" invariable have their own specialties as well as a network of trusted experts who form a team stronger than any one of its individual members. Instituting a crisis management plan can save lives, and reduce liability and damages. We all hope that nothing will happen, but planning for the worst case scenario, as a precaution, is a smart idea.
During the process of finding workable solutions, all options should be laid "on the table" for later reflection. No idea should be immediately rejected, since with modification, what at first seems absurd might later prove highly effective with a little creative modification. For example, trying to hide the fact that a 6'5" muscular protection specialist in a business suit is guarding a child at the beach may seem ludicrous on its face. However, place a 5'6" female bodyguard in cut-offs carrying a beach bag with the child, and,"voila!" problem solved. Instant "bodyguard" as "babysitter".
Brainstorming among professional teams of protection and risk specialists are one of the true benefits of hiring a professional to do the job. Creative problem solving from those with extensive education, training and experience will make you, your family, your company and your assets much safer. Balances must be struck between "enough" security to be effective, given the threat level, and so much security that the subject of protection is crippled from functioning. Often, cost must also be evaluated in order to gain the most advantage from the dollars budgeted for security measures. The choice must be left up to the client, with input, concrete suggestions and the development of options gleaned from the professional. Phase two is complete when choices have been made and those security measures have been implemented.
Step Three: Testing Phase
Phase three, after the institution of the crisis management plan, is the testing phase. Drills, drills, and more drills should occur until the reaction to known potential problems becomes rote, a reflex. Contacts should be established with relevant outside agencies, such as police, and fire and rescue departments. Communication lists and procedures should be tested and evaluated. Training sessions should be held with all personnel relative to their positions of authority during a crisis. Fine tuning of the plan must occur to ensure its "workability". Ego has no place in this process. If it doesn't work, a real pro will "scrap it" and go to "Plan B".
An untested plan has the potential for disaster. Electric power failed for one million people within about a fifty square mile area of San Francisco on December 8, 1998. A utility crew had inadvertently destroyed part of the system during substation repairs, creating a disaster that left area businesses and residences helpless. Many companies experienced failure of backup generators (or had none). Due to the flood of communication attempts directly after the disaster, even backup systems were disabled and communications completely broke down, resulting in the loss of valuable time and resources, as well an endangering employees stranded in elevators and other areas. Many of these problems could have been prevented with careful implementation and testing of a crisis management plan.
Regular calendar dates should be set to re-evaluate the situation, taking into account any new issues that may have arisen since the plan was put into place. Regular checks to determine the workability of the system function as "pop quizzes", honing a plan to its most effective level. Any time a new threat is identified, this process must be applied and the plan updated to include the new risk. An outdated plan can do more damage than good from the resulting confusion in a crisis.
With careful risk analysis, crisis management becomes "manageable".
Risk Management "Pop Quiz"
"How Prepared Are You for the Unexpected?"
1. Do you have a team of people assigned to coordinate emergencies? When is the last time they met? How often do they meet? How well are they trained? Are you set up at home and at the office to handle emergencies?
2. How long has it been since you had an inspection of your physical property and seriously examined potential problems or physical dangers? If someone were looking for an easy victim, do you appear to be a "hard" subject or a "soft" one? Would they be more or less likely to look elsewhere for an easier victim--be it company or individual?
3. Do you seem to have a constant problem with staff or employee theft, drug use or friction between managers and staff? Do you or family members have personal enemies or are you a potential target for those who might threaten you for personal gain? How well in your personal property protected or corporate inventory controlled? If you are wealthy, how well are your assets concealed? How "high profile" are you or your company?
4. How hard do think it would be for someone to steal information from you or your company that would damage you in the marketplace, embarrass you or put you or your business in jeopardy? Think about the most sensitive piece of information available about you or your company. What would happen if that knowledge was widely known or in the hands of the wrong party? How well is it protected?
5. How devastating would it be for you if your communications systems, information systems or transport systems were completely shut down for few days, weeks, a month or more, totally destroyed?
6. If it was announced that a tornado was 15 minutes away, or that there was a gunman in your front lobby or front yard, or that there was a poisonous snake loose in the building, how would you or those around you react? What would you do?
7. Do you know for certain whether or not the person seated across from you or in the next room has a prior murder conviction? rape conviction? robbery conviction? serious drug conviction? is stealing from you or "cooking your books"?
8. If you were working late alone in your office, how difficult would it be for a complete stranger to obtain access to your building? or if you were working late at the office, for a stranger to gain access to your home? What would you do if that stranger actually appeared in front of you? What would your co-workers or family do if the same happened to them?
9. How likely are you to become a statistic? your family? your employees? your co-workers?
10. Can you remember the last time you did something designed to reduce your personal risk? family's risk? company's risk? How well would systematically reducing the risk of harm be received by your company? your family?
Copyright 2002, Kimberley A. Herndon. Contact:firstname.lastname@example.org.
Editor: Karren Y. Sorrells