One of the most important management competencies is planning. Crisis planning is the preparation of documented action steps designed to improve the organization’s response toward mitigating a disruption’s impact on assets and resources. Long ago, I was given some sage advice prior to briefing proposed Crisis Planning improvements to the executive team. My boss said, Remember Mike, whatever you’re talking about, you’re talking about money. This truism is an unrelenting one. In tandem with day-to-day operational constraints and limitations, the threat of an event evolving into a crisis consistently challenges an organization’s management team to walk a tight rope between adequate mitigation efforts and fiscal need. In balancing these competing interests, How much crisis planning is enough? is often a question posed. Crisis planning is essential to monitor for, react to, and recover from organizational disruptions. There are three (3) key aspects which provide indicators as to where your program resides:
- Developing and Monitoring the organization’s Risk Profile.
- Defining and Communicating the organization’s Risk Appetite.
- Ensuring Crisis Planning is Established, Implemented, and Effective.
Developing and Monitoring the Risk Profile
Crisis is a disruption of normal operations which exceeds emergency response, or a condition where the entity has no preplanned mitigation to contain or control the disruption. Maintaining a state of normalcy, for any organization, is directly dependent upon the risks to their assets and processes. The key to reducing the frequency and severity of a crisis is to fully understand the organization’s Risk Profile. The organization’s Risk Profile is derived from a methodology which determines how risk varies across comparable assets and processes. When developing the Risk Profile, management assesses the:
- Origins of Risk
- Assets or Processes at Risk
- Vulnerabilities and the Effectiveness of Current Controls
- Probability of Occurrence and the Potential Impact/ Consequences
- Scores and Prioritizes Risk (this aids in the Distribution of Resources)