We are living in an increasingly risky world. Amongst the big risks are Conflict, Climate change, Covid, Cyber, Cost of Living and Civil Disobedience and Protest including Industrial Action. Getting your incident preparedness and business continuity arrangements robustly in place has never been so important. However, I am asked for help by organisations committing one or more of the following seven deadly sins of crisis management.
1. Who is in charge? The Incident Management Team (IMT) Lead is unclear
This is the first deadly sin. All too often plans reference a group of people as being in charge, rather than specific roles. It is worth noting that hybrid working means that Incident Management Teams are likely dispersed, and your Director may well be hours away in their holiday cottage in Cornwall, Cumbria or Carnoustie. If you’ve not practised how you are going to run a hybrid IMT (assuming IT systems are available) you might like to! Given dispersed management teams, it is even more important to focus on training and exercising for First responders and Duty Managers– those first on the scene, especially out of hours who will be managing and stabilising the incident.
Note the team is called an Incident Management Team, not a crisis management or disaster recovery team – imagine how “our Crisis Management team are in charge” might play with the media!
2. The Incident Management Plan hasn’t been updated
Too often plans haven’t been updated since Covid hit, are unwieldy, contain multiple checklists, elements of policy and guidance, and random forms to complete that no one ever uses. Long plans often don’t focus on supporting and recovering business priorities. Less is more, and role specific action cards and aide memoires can really simplify your plan. Too often the task is given to someone in house who doesn’t know what good practice looks like. Help is available!
3. There’s no incident management team agenda and no way of managing information, decisions, and assumptions
When an incident occurs the first questions that are asked are “What has happened” and “what does this mean?” Too often organisations have a limited ability to gather information, or to understand impacts from teams on the ground and their customers. When meeting, having a structured Incident Management Team agenda helps to save time, prioritise the order and flow of information and confirm what are decisions and what are assumptions. If not reviewed assumptions can quickly become fact and trip you up later. You’ll want to list your decisions to confirm focus, and critically, to keep legal records.
4. On call isn’t formalised and relies on a small cadre of committed people
Even in large organisations, there is often a small cadre of committed people who are contacted for all problems. They are probably exhausted after years of holding the fort during Covid and everything since. Baking in single points of failure is never good practice in business continuity!
We also know cyber-attacks are timed for Friday evenings and bank holidays, when cyber criminals know resources are depleted and detection and response is slower. Building fires and leaks (the 2 largest insurance claim areas) are more likely to happen Out Of Hours when there are less people to be vigilant. In fact, given remote working this risk extends into daytime too.
Still using call cascade trees to get in touch with people? They are useful but slow. You might like to consider how you can use technology to mobilise and update your IMT.
5. Crisis communications planning has big holes
The most common gaps here are a lack of training and rehearsal of spokespeople, poor understanding of audiences and having no defined ways to reach them. Additionally, you will want an alternative channels to communicate as an IMT in the event of cyber. Warren Buffet famously said “it takes twenty years to build a reputation and five minutes to ruin it. If you think about that you’ll do things differently.”
6. IT Backups
This common issue is still bringing companies down. This isn’t a hygiene factor; it is business survival especially with ransomware increasing by 300% in some sectors this year according to ThreatPoint. Remember the cloud is also a physical space.
7. Not tested and rehearsed via an exercise.
The final deadly sin is probably the most common and the most easily resolved. To keep arrangements at readiness, especially with ever changing staff, it is vital to rehearse and run exercises. Your IMT need to have practiced making and communicating difficult decisions under pressure and to have practised their roles in response. If not it’s like trying to run whilst tying your shoelaces. They are simply not able to cope with the pressures of an unfamiliar task.
If you recognise any of these seven deadly sins in your organisation and need advice and support with building resilience and ensuring your IMT is Incident Ready, please do get in touch. Incident Ready Consulting is expert at resolving these issues quickly and effectively in a way that energises your resilience.
This list isn’t exhaustive, so get in touch if you’ve another issue or capability gap that is causing you concern.
If you’ve found this interesting, you might like to read the following blogs on this website:
