What follows are practical planning considerations to ensure that an organization is prepared to respond in the event of a major disruption.
Plan ahead for emergencies
Experienced security professionals know that the first step in crisis management planning is to conduct a comprehensive and brutally honest assessment of where the organization stands, what its risks are, and how prepared the security team is to respond to a crisis.
While there is no such thing as a “standard crisis plan,” and every company and every risk profile is different, there are accepted best practices and common planning priorities that need to be addressed. Roles and responsibilities (both departmental and individual) must be clearly defined. Executive participation is critical to securing literal and figurative buy-in ahead of time and making swift decisions at the moment.
A comprehensive plan should have clearly defined triggers and escalation processes, taking the guesswork out of when to start moving assets and people or implementing crisis plans in the event of a major disruption. The best plans are not just tactical, but strategic, and companies should make sure they are dedicating resources proportionately: balancing the likelihood of a crisis with the potential costs and consequences — and making an informed and strategic return on investment (ROI)-based decisions on security investments and preparedness.
Manage risk holistically
Holistic risk management is the understanding that one category of risk has a significant impact on an organization’s risk profile elsewhere. The pandemic, for example, has posed a considerable health risk to employees, but it has also impacted operational security (supply chain disruptions) and cybersecurity (new risks with virtual office models), as well as presenting significant political, social, and macroeconomic risks. One change in a complex system has implications for other parts of a company — and the best crisis planning is designed to address the full spectrum of risk.
Prioritize crisis communications
Clear communication is critical, but crises are always chaotic, and standard lines of communication are often unreliable or unavailable. Security leaders should have plans in place to ensure communication in a crisis, recognizing that, as in Ukraine and Russia, mobile phones and payment systems can go down and lines of communication and the flow of financial resources can be severely impacted. Management should be closely involved in crisis communication: to employees, to clients and professional partners, and, in many cases, to the broader community.
Test and retest
Rigorously test the organization’s crisis plan and make sure it is sufficiently robust and flexible. Use scenario-based exercises and dry runs to identify what works and what doesn’t and adjust procedures and crisis team dynamics as needed. Stress-test the emergency plan and security team and use the results to improve and refine the disaster management plans. Recognizing that companies and circumstances change over time, make regular/ongoing testing part of the operational norm.
Avoid common oversights and blind spots
Avoid common mistakes that hinder crisis management planning, such as a lack of vision: and failure to foresee and plan for various scenarios. From pandemics to military conflict, security leaders have clearly seen that there is no such thing as something that can’t happen. Along those lines, don’t make assumptions about the nature or scope of a crisis. Unlikely is not the same as impossible, and plans that make assumptions about the extent or duration of a crisis can be dangerously incomplete.
Don’t merely plan to protect the bottom line and ignore employee well-being but harden organizational crisis management too. Support the security team both individually and collectively and attend to the organizational duty of care. Be sure to learn from the past. The world has been experiencing one of the biggest and most dramatic tests of crisis planning and security preparedness with the COVID-19 pandemic, and if security professionals haven’t evaluated what has worked and what hasn’t (and adapted accordingly), they are missing an invaluable opportunity.
Finally, recognize the value of a trusted security network. Security professionals are communicating and sharing critical information more than ever before. Accurate, real-time information is at a premium in a crisis and having trusted sources and a strong security network is increasingly important against the backdrop of today’s complex threat landscape.