Once you've created your initial crisis management framework, how do you go about prioritizing your top risks for additional situation-based planning?
That's the topic that we dive into today in this week's edition of the Managing Uncertainty Podcast. Bryghtpath Principal & CEO Bryan Strawser along with Consultant Bray Wheeler talk about how to shift from your established crisis management framework and plan to situational based planning for your top prioritized risks.
Related episodes of our Managing Uncertainty Podcast and articles from our blog include:
Bryan Strawser: Hello and welcome to the Managing Uncertainty podcast. I'm Bryan Strawser, principal and CEO at Bryghtpath.
Bray Wheeler: I'm Bray Wheeler, a consultant at Bryghtpath.
Bryan Strawser: One that we've talked about, at least, in a couple of previous episodes is this really common call or email that we get from prospective clients. It usually starts with, "I don't have any kind of crisis plan or structure, but my executives have told me I need an active shooter plan."
Bray Wheeler: Yup.
Bryan Strawser: We always immediately steer them towards, "You might need an active shooter plan, but if you don't have anything else, what you first need to establish is a crisis management framework. You need a plan on you're going to deal with any major disruption that establishes, here's the team, here's the process, here's how you're going to communicate, here's how you're going to make decisions, here's how you're going to escalate things." When we talk about a crisis framework, that's what we're talking about.
Bryan Strawser: So, we've talked about this several times. What we want to talk about today is, what happens when you have that in place, and now it's time to take a look around the company and say, "There's probably some specific things I need to write a plan for, but what are those things? So, what do we do next?"
Bray Wheeler: I think, people can get hung up on evaluating different things and scoring different things, and talking to different people. All of those things are important, and all of it needs to come into play, but you really just need to start somewhere. And some obvious places that you can start to have those conversations that kind of whittle yourself in are, "Do we have something recent that we were not prepared for that did not go well?" Say, you're a bank or financial institution, "We had an armed robbery. We didn't have anything in place." Probably need a plan for that. You know, "Something that can help guide us through that kind of situation." That's kind of an obvious starting point, but it's also looking at, what are your top enterprise risks? And start the conversation there. What's have other functions of the company, done any kind of impact, or likelihood analysis that you can borrow from. You can get way down a rabbit hole on a lot of that stuff.
Bryan Strawser: You can totally turn this into rocket science. I think that's a bad route to go. You can do all this analysis of frequency, impact, whatever.
Bray Wheeler: Vulnerability.
Bryan Strawser: Vulnerability. You could spend months making heat maps of your risk.
Bray Wheeler: That's not helpful.
Bryan Strawser: It's not helpful. I remember a project once, internal to an organization many years ago, where a division came to our crisis team and said, "We wanted this detailed threat analysis of our organization so that we can plan around the biggest risk to the organization," and we all looked at them and said, "The number one phone call that we get from your division is the power is out. Can we start by having a process to deal with when the power is out?" They said, "No. That can't be the answer, it's got to be much more complicated than that."
Bryan Strawser: They spent weeks doing analysis and they came back and said, "Hey, our top risk is the fact the power goes out and we don't have generators at these particular facilities."
Bryan Strawser: So, you can turn this into rocket science. Don't do that.
Bray Wheeler: No.
Bryan Strawser: I think Bray's got it right. What are the obvious things that you need to plan for, or what are the things that are driven by regulatory requirements that you have to do? Start there. For example, if you're a financial institution, you mentioned armed robbery, but let's go to a regulatorily driven issue. If you're a financial institution that's subject to the FDIC's and the Office of the Comptroller of the Currencies audit process, then the FFIEC guidelines say, fourteen years after H1N1, that you... I'm sorry, nine years after H1N1, you have to have a pandemic plan. So, one of the scenarios that you need to plan for, is you need to have a pandemic scenario because, from a regulatory standpoint, you're required to have it. So, that's an obvious one. Start there, because you have to have it.
Bray Wheeler: Well, exactly. There's a lot of work being done, whether it's large or small organization and no matter the type of organization, there's a lot of work that's already done that's, people have prioritized these things. Business initiatives, common things that call centers to get called about, or security is getting called about, regulated information that says you need to have these different things. Those are all easy places to start. You just kind of flop them on the table and say, "Okay. What are the ones for sure we have to have? Let's start there." Then as you tick through, or other things bubble up, then you start to address them.
Bray Wheeler: Say you're a mid-sized company, you have an office in the Midwest, and one smaller branch in Florida, probably don't need a hurricane plan. You just need a plan to give shelter to that office, a close-up plan, something for those employees. You don't need a full-fledged organizational plan if you don't have anything that's critical down in Florida. If most of your organization is in Minnesota, a hurricane plan probably isn't the place to start.
Bryan Strawser: Right. Right. I like to tell people, we like to tell people, I should say, we want to look at the obvious risks first. The things that you know are going to happen to you. The things that you're regulatorily required to have planned around. Then I think you can start to get into the outer rings of, "Well, I've covered the things I know are going to happen. I've covered the things I have to have for regulatory purposes. Here are some things that I think are the next circle of risk here." I think you kind of keep going in circles from there as you need to have scenario specific plans.
Bray Wheeler: Well, I think even as you get... As you start to build those things out and you couple years in and you have a dozen, let's say you're really doing a really good job, and you have like two dozen plans of different scenarios, it's important to go back to those plans you've already created and reassess, or "Hey, we've moved in a different direction as a company, this risk that the company is talking about generally, is becoming a bigger deal. Hey, we did a plan for that two years ago. Let's pull that back out and make sure it aligns to what it is that we're talking about, or the direction that we're going."
Bryan Strawser: Update.
Bray Wheeler: I just think that it's, to kind of beat on the point that we're making, it's real, real easy to go down a rabbit hole and it's real, real easy to make, even these plans, more complicated than they need to be. We've seen a lot of different organizations try to account for every little nuance of a situation. That's probably not helpful. When you get into that situation, nobody's pulling that plan out to address it. Really what you're trying to accomplish with these top risks, these more specific plans or annexes, or whatever you want to call them on top of your crisis plan to address the situation is, what are those key unique things in that situation that we need to make sure that we hit right away, or that we need to act right way, or we need to make decisions on right away? Then what are those other nuances that we start accounting for as we move through the situation? It's not another 14 pages on how to do something. That's not helpful.
Bryan Strawser: We could probably do a whole episode just about how to construct plans in an intelligent and effective manner. A couple of things that you brought up that I think are worth elaborating on here, is when are talking about developing these scenario-specific plans, these really should be structured as annexes to your crisis management plan, or crisis management framework, whatever you're calling it, because essentially what you're saying is, "I'm going to take the framework by which I always manage a crisis, I'm going to add this plan content for this specific scenario or situation or type of scenario, I'm going to use that on top of my framework."
Bryan Strawser: Maybe you've got specific checklists by role. Maybe you've got some specific assessment questions, you got some specific strategies you're going to follow, but all of that has to be built, that annex has to be constructed in a flexible way, because to your point, you can over-structure this, where it's too rigid, and you find yourself in the situation where the real-life scenario is slightly off of how you thought it was going to be, and now your annex is shit, because the underlying scenario is different. Or you didn't foresee the combination of factors that got you into the place that you're in.
Bray Wheeler: Or you've positioned it in a way that the people that are responsible for working through those checklists, or kind of working through the process, or helping facilitate that conversation, get stuck up on what order they're supposed to be doing things in, and, "Oh. We didn't call this person, or this thing didn't get done, we can't possibly move on to the next thing." You have to keep adapting and you have to keep moving against whatever the situation is. Those plans should really be there to guide you and make sure that you're accounting for the nuances of those situations.
Bryan Strawser: Part of what I think you have to account for, as well, in all of this, is that you may have developed plans for a number of different scenarios, planning annexes, for a number of different scenarios, your situation that you find yourself in now, is a combination of scenarios. Right?
Bryan Strawser: So, you're pulling two or three plan annexes out, that you got to execute. How do you make that interact? Did you plan it in that way? Do even know, the situational question, which is, do you know that there are really three things going on? You may only see two of them at the time. You may not have the awareness to know there's a third.
Bryan Strawser: So, anyway, the point is, that the annex needs to be able to interoperate. Part of what you want to think about when we started getting into this complex crisis management situation, is what do you do when you have the multiple, simultaneous incidents, or you have the incident, the crisis situation, that has multiple impacts that fit your scenario? Like you've had cyber-attack, and you're under cyber-attack, and now you have a physical attack in your lobby. Okay, those are two same, might be the same crisis, you don't know it yet, but now you've got simultaneous issues going on that you've got to deal with.
Bray Wheeler: As you're working through and trying to identify because I think that's an important point when you're thinking about what risks to prepare for, what's your top risk, it really going back through the annexes that you have, and, or, thinking about, "Okay. Our top risk is a data breach". Great. Okay. "So, let's start there." It's important to have that exercise too, kind of once you're done, a little bit of an after-action, or a little bit of a debrief off of it, going, "Okay. What are those other things," to your point, "That might manifest out of this or may have caused this? Is it a physical security thing? Does that need to be the next thing that we go into a little bit more detail on?"
Bray Wheeler: One I always enjoy that our previous...
Bryan Strawser: Our previous life.
Bray Wheeler: Our previous life. Was the having an annex for a terrorist attack and an annex for a mass-casualty event? Does it really matter, as that organization, the nature of the situation? Is really what you're doing is managing a mass-casualty attack, and later on, it turns into something else. So, as you're thinking about those top risks, it's important to be clear about what it is you're trying to address, because in that case, that organization, there's no responsibility there from a terrorist standpoint. Really, you're treating it as a mass-casualty event. You don't really care what the motivation of the attacker is at that point.
Bray Wheeler: So, it's being really clear as you're laying out what that annex is, what that top risk is, that you're dialing into the right thing that's going to have the impact to your organization that you're accounting for, and not something that's kind of sexy, or high profile, or gives it a different cool spin on something. It's really getting down to the nuts and bolts of what that situation is.
Bryan Strawser: Yeah, I think you make an important point. This could be overdone. We've seen this. We have often seen plan annexes that we're being asked to edit, coming in as a consultant, I think we read a 170 page one back at the first of the year on a... To be fair, it was on a complex topic, and don't want to minimize that the underlying issue was a serious one, but that it was about three times as long as it really needed to be.
Bryan Strawser: You've got to allow flexibility in these plans. You have to make sure they connect to the underlying incident or crisis management process, and they need to able to interoperate with other annexes when you have these multi-impact, complex, crisis situations, that we hope you never have to face, but the reality is if you're in a big company, big organization, sooner or later, you're going to run into that scenario. So, you want to make sure that your annexes and your plans all fit what those unseen possibilities are because we know it will be the combination of events that you never imagined would happen.
Bryan Strawser: The whole time we've been sitting here in this podcast talking, thinking about these multi-impact events, I just keep going back to Japan and the 2011 earthquake off the coast of Natori Province, and that was one of the largest earthquakes in world history, followed by this massive tsunami, and then this rising nuclear issue at Fukushima that came after. It all interconnected, and the Japanese government just didn't have situational awareness to see the big picture, and really struggled in the response that should have been much easier for a company, or for a country rather, that was that prepared.
Bray Wheeler: Well, yeah, because individually-
Bryan Strawser: They nailed it. They had it.
Bray Wheeler: They could execute each one of those situations, probably, brilliantly.
Bryan Strawser: But not all three at the same time.
Bray Wheeler: But all three at the same time, there wasn't that awareness.
Bryan Strawser: So, as you think about how to plan for your top risks, as you build that crisis framework and you're moving forward, our advice, go for the obvious and regulatorily driven risks, and then start to look out from there. Whatever you do, don't turn this into rocket science.
Bray Wheeler: Keep it simple.
Bryan Strawser: Keep it simple. Keep your planning simple. Make your annexes interoperate. We wish you luck. Thanks for listening to this episode of the Managing Uncertainty podcast. We'll be back with you with a new episode next week. Thanks for listening.