June 02, 2020 | SSS GRC Team
When a crisis happens, businesses need to be in a position where they can respond swiftly with confidence. The timing of a crisis is unpredictable. It could happen at any moment and have damaging consequences for those who are not prepared for it. The ability for an organisation to respond within the first few hours of a crisis play a key factor in the impact these events can have on it from operational, financial, and above all, reputational perspectives. A lack of consideration or timely reaction during response activities could negatively impact one or more of these areas.
Crises are different to incidents because they are events that have a rare likelihood, but severe impact when they do occur. Crises come in a variety of forms that include pandemics, natural disasters, large data breaches, and loss of key business personnel (e.g. Chief Executives). There are a wide range of stakeholders that can be impacted by different crises, such as employees, shareholders, and customers.
Over recent years, there have been several examples of crises in New Zealand which have emphasised the importance of being prepared when the unexpected occurs.
The COVID-19 pandemic was a worldwide crisis which the New Zealand government swiftly reacted to by placing the country into a lockdown.
Many New Zealand organisations were not prepared for such a situation that would require all staff to work remotely away from their physical offices for several weeks or even months.
Although this event was a threat against the health and safety of people across the world, it had important IT considerations that would determine whether businesses could continue to function.
Many had to upgrade infrastructure, such as virtual private networks (VPN) to allow staff to access the corporate environment whilst at home or increase capacity to validate that all staff could be on the VPN at one time.
Others had to work on updating their processes and procedures to keep staff safe whilst using corporate devices on their own personal wireless networks at home.
Many organisations also had to adjust to limitations on the services they could provide to customers and find new approaches to serving customers under increased restrictions.
Many of these actions occurred days before and even into the level 4 lockdown across the country, and has resulted in a lot of organisations going out of business or losing a lot of human resources due to the inability to operate under normal conditions.
COVID was not the first crisis in our country that required an alternative method to running an organisation.
The Christchurch earthquakes which stunned New Zealand in 2011 not only took lives but destroyed many homes and business dwellings in its wake. This meant many professionals were unable to return to their offices to carry out their day-to-day responsibilities.
A survey by Grant Thornton found that 66% of businesses were affected by this national crisis, of which 18% suffered long-term impacts. Those who survived the impacts were those who were able to respond quickly and make fast decisions to mobilise their business within an altered environment. This included setting up IT infrastructure or finding alternate ways to allow staff to access business resources whilst working remotely for a significant amount of time. Not only this, but organisations had to find ways to emotionally support staff who were impacted.
How to prepare for an unexpected crisis
The following are important considerations and advice to help you prepare for an unexpected crisis. If you need help with your crises preparedness planning, contact us on 04 917 6670.
1. Maintain plans for handling a variety of events
The timeline of a crisis could vary depending on the event. Some may take days, whilst others could last months. As a start, organisations should prepare themselves by ensuring that they have robust plans and procedures which will help them continue to function regardless of how long a crisis could impact them. Examples of such plans include incident response procedures, disaster recovery plans, and business continuity plans. These plans should include clear assignment of ownership and roles before, during, and after the crisis has eventuated.
2. Learn from the experience of others
Learning from the success and failures of organisations that have dealt with an actual crisis allows an opportunity to benefit from their outcomes and experiences. There are a variety of moving parts that need to be managed during a crisis, some of which can be forgotten during the actual response. Forgetting or overlooking these aspects can cause more damages from the crisis, which could include loss of stakeholder trust, wider spread of the crisis across the organisation, or increased media scrutiny. Learning from the strengths and mistakes of others who have faced a crisis can provide awareness of what should/should not be done when reacting during the response.
3. Build a playbook for faster responses
Different crises may require tailored approaches during your response. For example, a response to a data breach will require different actions compared with a natural disaster. Many organisations support their response plans by building playbooks containing a range of crisis scenarios, each with specific response and recovery requirements that vary with other scenarios. Having this playbook allows those involved in a crisis response to quickly identify and understand the specific actions that must be taken for each type of crisis, instead of figuring out these considerations during the actual response.
4. Test your preparedness regularly
Testing your crisis response plans and procedures against different scenarios will help validate that you are able to respond effectively against these events.
Many organisations used tabletop exercises or simulations to put their key personnel in the hot seat and assess the businesses ability to react and respond immediately against crises. Details of the crisis scenario are not commonly shared with participants until they enter the simulation, which replicates the unexpected timing of the event and prevents the individuals from preparing beforehand. Testing should occur at least annually, or more frequently if possible, and assess a different crisis scenario each time.
Regular testing of your crisis response preparedness may also identify opportunities for improvement which can be used to enhance existing response plans and procedures, so that you can use these lessons learnt to be ready an actual occurrence of the scenario.
The more frequently testing is performed, the better key decision makers understand what types of decisions they may be asked to make. The better you become, you can then start to drop some key players out – Afterall, not everybody was available after the earthquakes. There are no second chances for those who do not get their crisis response right during the real event.
5. Look beyond the immediate effects
The effects of a crisis can linger into the weeks and months after it has occurred. Organisations should think about and be prepared for dealing with the crisis beyond the immediate response. The ability to prepare across the immediate and long-term response will assist organisations to recover faster from the crisis and return business back to normal as efficiently as possible.