Resource Type: Free Resources

management solutions

DTE001 The Nature of Crisis and Disasters

This module will take you through The Nature of Crisis and Disasters.

  1. Introduction
  2. Characteristics of Crises
  3. Case History: Buncefield Explosion (2005)

The information in this document is part of the Deltar
‘Level 4 Management Award in Advanced Risk and Crisis Management’

Introduction

If you are dealing with the management of crisis and associated non-normal situations, you should by now have a fairly good understanding of how a security management system works, and how it can be utilised in various ways to identify potential threats, create effective risk control protocols and also create a response capability (‘contingency planning’) in the event that something goes wrong.

Whilst this three-stage management framework creates a structure within which normal security management functions can be designed and delivered (and this is an excellent method for starting off with a blank piece of paper and ending up with a fairly well-developed outline of whatever security management system you might need), they only go so far. There are times when the nature of the problem is either so great, or so unknown to us, that normal security management procedures just breakdown. Welcome to the world of Crisis Management!

Crisis Management is the study of how you deal with situations for which it is almost impossible to plan, and which at the same time create a real risk to the continued existence of your organisation. Examples that immediately spring to mind are the attacks on the World Trade centre in 9/11 (2001), Hurricane Katrina and the impact that had on New Orleans (2005), the tsunami and earthquake in Fukushima, Japan (2011). However, whilst these are incidents that grabbed the headlines across the world, it is equally possible to find examples of corporate and business disasters that required a crisis response from business security managers.

The recent terrorist attacks in Algeria (February 2013) is an example where a relatively stable (though potentially high risk) country suddenly became the scene of a major terrorist attack.

The volcanic ash from Iceland that brought air-travel across northern Europe to a halt in 2011 is another example of an incident that would normally be in the ‘Low Likelihood / High Impact’ corner of a risk matrix coming to life and having major, and potentially catastrophic, impacts.

This Module will give introduce you to the various sorts of crises that you are likely to be facing, the effects they have on your operation, and the sort of management skills that you will need to be able to respond quickly and effectively to those situations. One of the immediate impacts of a crisis is that it demands that the security team provides leadership and support to the decision-makers in your organisation, as well as maintaining your normal operational roles.

Characteristics of Crises

The word ‘crisis’ has undoubtedly become over-used in our modern world, and is often used to describe situations which although they may be serious and potentially dangerous, are not really true crisis situations.

Most definitions of ‘Crisis’ are based on three criteria:

  • High Level of Threat
  • Time Urgency
  • Confusion

The high level of threat is not only concerned with the nature of the problem you are facing – whether it is terrorism, natural disaster or technological breakdown (imagine how you would be able to manage a situation if the mobile phone network was suddenly not operating), but also with the potential damage that it could cause your organisation and its operations.

In this sense, crisis management is not only about physical survival, but also reputation management and brand management. It is likely that the front page of the newspaper you are reading this morning will have at least one story about an organisation that is under threat because of weaknesses in its own management systems that have led to a genuine crisis situation which threatens its reputation and future operability. Although crises tend to be large-scale and dramatic, and it might seem that every crisis is unique, it is also true that they often share a number of characteristics, and as a start, we can divide crises into two groups, those that are caused by something outside our control, and those which are caused by weaknesses within our own operations.

We usually think of ‘management’ in terms of controlling something, but the truth is that in the modern day, the world is so complex and inter-connected that there are many aspects of our lives – perhaps most of them – over which we have little control. We can’t control the internet, or the mobile phone system, or ATM’s where we draw money from the bank. We can’t control weather systems or climate change, or solar flares or flooding. It is for this reason that to a large extent the things that cause potential crises are events over which we have no influence, and so it is important that we are able to identify what they are, and how we can best prepare ourselves to respond to them in the event that they do take place. Although such incidences are rare, they are still predictable, and it is one of the responsibilities of the security manager to identify potential crises, consider how they could impact on their operations, and prepare as well as possible to respond in an effective manner in the event that they are triggered.

Although we often consider a crisis as something that happens very suddenly, and which is outside our control, it is also true that there are many times when a crisis develops over time, and can be labelled a ‘creeping crisis’. The pattern of development is often the same – there are minor incidents which are signs that a potential crisis is occurring, which are then ignored, and then a slightly bigger problem occurs and the organisation decides to do something about it, but then the problem goes away again, and so the organisation concentrates on something else – and then there is a major crisis, and they have no choice but to do something about it.

Actually, there is very little difference between the organisational response to such warning and our own personal behaviour in real life. It is probably not much different than when we have a tooth ache – we ignore it until it becomes so painful that we have to make an appointment with the dentist – and then if the pain goes away, we might well cancel the dentist appointment. Or there might be a leak in your pipes, but we do nothing until that turns into a major flood. In much the same way, when we analyse corporate crises, it is almost always the case that rather than being a sudden event over which they had no control, the crisis, at least in retrospect, can be seen as a being the final stage in a process that involved a series of warning incidents that became increasingly serious, and which were consistently ignored.

Case History: Buncefield Explosion (2005)

Whatever the development process of a crisis might be, the fact is that once it is triggered, it causes a serious threat to the continued existence of an organisation. A good example of how a crisis can be triggered by events that are outside of your control is the Buncefield explosion on 11th December 2005. One of the main fuel storage centres for Heathrow airport, the explosion of the fuel storage tanks were reported to be the largest explosion in Europe since the end of the Second World War (1945). It had a measurement of 2.4 on the Richter scale (equivalent to a small earthquake), and could be heard as far away as Belgium, France and Netherlands.

The impact of the explosion was immediate, but from a crisis management perspective it is a good example of how many different areas of operation were affected by the incident. The explosion itself, and the fear of further explosions, led to the major evacuation of 2,000 people from surrounding villages. The smoke from the fires meant that a number of major roads had to be closed, including the M1, and a number of flights had to be rerouted as they were coming into Heathrow airport. There were health issues, as people were affected by smoke inhalation, and there was also fears concerning the level of toxic chemicals in the air, as well as the run off of toxic chemicals into the water supply, due to the water being used by the fire brigade to control the fires.

Local businesses were also affected, as there was a cordon that was put around the area, affecting their ability to get to their own offices, and of course there were many businesses that were situated close to the explosion that were completely destroyed.

The official report into Buncefield identified around ninety businesses that were seriously affected, with costs of up to £550 million (p. 25). Although Buncefield was a massive event, it was a typical example of any crisis in that it affected a wide range of people, and demanded a multi-agency approach in responding to it, that meant that many different organisations had to work together to develop and deliver a post-event recovery plan. Its effects were also felt for a long time after the actual explosion, and some organisations affected it by it never really recovered. These are issues that are common to any crisis, however big or small, and which will be studied in the following sections.

DTE002 Different Classes of Crises

This module will take you through Different Classes of Crises.

  1. Understanding the Nature of Crises
  2. Case Study: Crisis Management and Heathrow Airport
  3. Hierarchy of Crises
  4. Major Incident
  5. Routine Emergency
  6. Crisis Events
  7. Mega-Crisis Situations

The information in this document is part of the Deltar
‘Level 4 Management Award in Advanced Risk and Crisis Management’

Understanding the Nature of Crises

As was described in the previous section, the vast majority of security management is based on a classical three-stage process involving Risk Assessment, Risk Management and Contingency Planning. The idea behind this system is that if we are able to identify a potential problem before it actually occurs we will then be able to develop security management policies that will prevent those situations from happening, and will minimise the impact of any incident that does occur. We do this by creating a pre-set series of security protocols that everyone on the team is familiar with, and which the team will have practiced and, in all likelihood, use on regular basis as part of their normal working lives.

However, in the 1970’s a new theory of crisis management began to emerge, that stated that in fact for a certain sort of problem, there was no effective solution. According to this theory, we are able to deal with simple ‘Incidents’, because they can be seen in terms of an isolated event, which could be solved using simple and well-recognised response protocols. These problems could be called ‘Tame Problems’, because they were no real danger to us, and we understood how they behaved.

However, as situations develop more complexity, they can no longer be solved using simple solutions, but they demand a higher level of cooperation between different organisations and agencies in order to create the necessary response. In this category of situation, there is no single obvious solution, but it demands that different teams need to create a solution through their own collaboration.

Although these situations are not the sort of problems that the people responding to them would be likely to be facing in the normal run of their daily lives, they are nevertheless situations which managers should be able to deal with, based on the basic skills that they have developed and are using on a regular basis in the work place. Although ‘Routine Emergencies’ are each unique, they can still be seen as belonging to a general class of problems that allow them to be managed in roughly similar ways. An example of different sorts of loosely structured problems sharing similar characteristics are a series of incidents that happened at Heathrow Airport.

Case Study: Crisis Management and Heathrow Airport

Heathrow Airport is often called the busiest airport in the world, and as a central hub of European air travel, as well as acting as a main connector between Europe and US, Asia, Africa and the Middle East, it is clear that even the slightest disruption to Heathrow’s operations would have a knock-on effect across the world. At the same time, any event that affected the flights in and out of Heathrow would also have an immediate effect on the tens of thousands of people using it every day, whether they are family travellers, international businessmen or the thousands of aircrew who man the flights. Despite this fact, Heathrow has regularly been affected by situations that, from a crisis and risk management perspective, should have been well-modelled and planned for, but which actually turned into major international incidents.

In January 2003, the airport was closed because of snow, leading to the cancellation of 300 flights. In 2009, volcanic ash from a volcanic eruption in Iceland caused cancellation of flights across northern Europe for almost a week. In 2007, Heathrow airport was closed because of a terrorist threat following the ‘Shoe Bomber’ scare on a plane from London to New York. Although all of these incidents were different in themselves, as a class of problems – ‘Closure of airport leads to massive disruption’ – they were all extremely similar. Given the expertise that it takes to run an international airport ,and the clear potential for some sort of incident to cause major disruptions of flights, which in turn would have significant secondary consequences both on international travel and the thousands of people in the airport, you would expect that there would be a range of possible response options in place to deal with these disruptions.

A properly designed and well-practiced Crisis Management system would allow the various stakeholders and decision-makers to be brought together, so that they could analyse the problems, create solutions, and then put them into practice. However, the truth is that once these incidents occurred, the breakdown in operational functionality, crisis management and organisational leadership was almost immediate.

Hierarchy of Crises

In order to understand the nature of a crisis, we need to differentiate between three different levels of crisis situations. Each of these has different characteristics, creates different challenges and demands different sorts of responses. It is important to clearly differentiate between them, because an attempt to respond to one class of crisis by using the tools that have been developed to respond to a different sort of crisis will result in significant breakdowns in response effectiveness, and may well lead to ultimate failure where the use of the correct set of response tools may well have resulted in a successful outcome to the situation.

Major Incident

A major incident is something that goes beyond normal operational frameworks, but which nevertheless is something that you would be expected to be able to deal with using your existing skills and experience. It is the sort of situation that you deal with as a normal part of your working life, and for which you should have pre-set response programmes in place that allows you to respond in a way that is understood to all of your team. An example is a fire station that is called to respond to a major fire in a block of flats. Although the incident is undoubtedly larger than the normal incidents that the fire crews are responding to, it is still characterised as a well-understood situation, for which they-should have well-developed response protocols that are well-rehearsed and are known to everyone involved in the operation.

Routine Emergency

A ‘Routine Emergency’ is similar to a major incident, in that it is something that the people involved in should have the capabilities to deal with, but it is something that also demands a higher level of cooperation and collaboration between different divisions, teams or agencies. An example of a routine emergency would be a road traffic accident at a major junction in a city, or on a major motorway. It is clear that the knock-on effects of that incident would soon be significant, and would involve serious disruption to many people, but nevertheless this is also something that is likely to happen on a fairly regular basis, and therefore the people in control of the response operations should have a good idea of what it is they need to do, who they need to call, and what needs to be done to both solve the immediate problem and to manage the secondary consequences.

One of the predictable problems that happens in ‘Routine Emergencies’ is that although each division or agency understands their own role very well, and are able to deliver the services that they need, it is when the solutions they develop are dependent on cooperating with other teams that things start to go wrong.

Crisis Events

Whilst the examples given for major incidents and routine emergencies called on normal agency skills and capabilities to deal with them, whether it is responding to a fire or a road traffic accident, a ‘Crisis Situation’ is of a different nature. To continue with our example of a fire service, a ‘Crisis Situation’ would be a major fire in a chemical factory. This is not just a matter of putting out a fire, but also involves the possibility of a major explosion and the release of toxic chemicals. It would probably require the evacuation of a major area around the factory, as well as the provision of specialist medical facilities in the event that poison gas did escape, both on the ground in terms of specialist ambulance crews, but also at hospitals that would be put on stand-by to prepare their specialist response teams. There would be a need to coordinate this with the police and health services, as well as the local council. There would also be the issue of whether the water the fire service used to put out the fire could carry toxic chemicals with it, and therefore where would it would run off to.

Given the possibility of chemicals being released into the air, there might be a need to contact the meteorological office to see what the chance of rain was or which direction the wind would carry the gas cloud. That would also lead to a question of how quickly such a cloud would spread, and therefore what would be the size of the evacuation zone. All of this would need to be put in place with the constant awareness that the explosion or gas cloud could happen at any minute. The need to coordinate a wide range of different teams, many of whom would not be used to working in such stressed environments, whilst under immense pressure, little time, not enough information and the constant possibility of a catastrophic event, are all characteristics of a true crisis.

A good example would be a major train crash in an underground tunnel. The different agencies involved in responding to that situation have all developed their own levels of expertise in responding to that sort of situation, but it is when they need to work together that things go wrong. They may use different terminology, they will have a different way of developing plans, their communication equipment may not be able to work together (one of the first things that goes wrong in any crisis situation is that the communication systems break down). All of these things mean that when they actually have to start working together to create joint responses, there are likely to be problems that they hadn’t planned for, and which will severely affect their ability to respond quickly and effectively to the situation.

Mega-Crisis Situations

As can be seen from the examples above, although major incidents and routine emergencies are undoubtedly serious situations, and demand a high level of professionalism from the responding agencies, they still fall within what could be called ‘normal operational capabilities’, and as such we could expect those agencies to respond in a timely, effective and well-managed manner. Even in the crisis situations, even though they are relatively rare, when they do happen the people responsible for responding to them have a strategic overview of what the problem is, an understanding of what needs to be done, and can visualise what sort of actions they need to take.

However, there is also a level of crisis that goes beyond even that. Although it is not really the focus of this study programme, a ‘Mega-Crisis’ is a situation where the nature or the scale of the event are so far beyond what is ‘normal’, that there is literally no plan in place to deal with them. However much the security managers in offices in New York had planned, they couldn’t have been ready for what happened on 9/11. The hotel managers in various countries around the Indian Ocean could not have prepared themselves for the tsunami that hit on Christmas day 2005. The blackout in north India in 2013 that left 600 million people without electricity created problems on every level of society that no security or emergency planner could ever had prepared for. Although these are not issues that we would deal with on a daily basis, they nevertheless are possibilities that should be considered when performing risk assessments, especially in areas where the possibility of major disruption because of national infrastructure, natural disasters or catastrophic weather patterns are higher than normal.

DTE003 Corporate Response to Crises Situations

This module will take you through Corporate Response to Crises Situations.

  1. Corporate Response to Crisis Situations
  2. Impact of a Crisis on Corporate Reputation
  3. Case History: Getting It Wrong : British Petroleum (BP) and Deepwater Horizon
  4. Creating the Corporate Response : The First Hour
  5. The First Twenty-Four Hours
  6. The First Forty-Eight Hours
  7. Finding Positive Examples
  8. Summary
  9. Main Points

The information in this document is part of the Deltar
‘Level 4 Management Award in Advanced Risk and Crisis Management’

Corporate Response to Crisis Situations
Introduction

A brief look at any the paper you brought this morning is likely to have at least one example of a crisis situation that has developed, not because of a major outside attack or event, but through basic failures in management skills. A simple test of how good an organisation’s crisis management skills are is whether the media coverage surrounding the crisis becomes focused on how the leadership has failed, rather than how well (or badly) the situation is being handled. Although it may be true that a crisis itself outside the control of an organisation (though as we have seen, that is not always the case), how the response is handled is certainly within their control.

The first significant example of the difference that effective corporate crisis management can make is usually considered to be the Tylenol incident in 1996. Johnson & Johnson was a major US pharmaceutical company who gained up to 15% of their corporate profits from a single product – Tylenol, an over-the-counter pain-killer that controlled 35% of the US market. In 1992, someone managed to lace some of the product with cyanide, resulting in the deaths of seven people. Johnson & Johnson were slow to react and take control of the situation, and they lost up to $1bn in market value.

In 1996, the same thing happened again, but this time the Johnson and Johnson management team were ready. They immediately acknowledged that there was a problem and withdrew the total Tylenol stock from across the US. The fact that they were showing strong leadership (even though this was a repeat situation), meant that public trust in them remained high. As part of their response, Johnson and Johnson introduced the first ‘tamper-free’ packaging, and as a result, not only regained their market share, but took customers away from other companies that had not suffered from the cyanide scare, but had also not introduce the latest tamper-free packaging.

Impact of a Crisis on Corporate Reputation

Major corporation are not just dependent on sales and profits, but to a large degree are as much concerned – or in some cases, even more concerned – with their corporate image. Whether it is a global consultancy giving the impression of cutting-edge efficiency and the ability to offer its services anywhere in the world, toilet paper manufacturers wanting you to think of puppy dogs rather than what toilet paper is actually designed for, or alcohol and car manufacturers trying to get you to connect their brand with an image of the good life driving along open roads or enjoying parties on a beach, this aspect of brand management, image management or reputational management is crucial to the identity of whatever it is that they are selling.

That is equally true of governments and public organisations. Part of the BBC ‘brand’ is its position as the national broadcaster naturally at home in the living rooms of every house in the country (an image that itself goes back to the 1950’s!). The revelations that came out as part of the Jimmy Savile scandal that there had been a culture of sexual bullying and active paedophilia by one of its major stars, which then led to an understanding that i fact there had been a corporate culture that had allowed this to happen over many years, was an extreme example of how corporate reputation is dependent on maintaining a specific brand image.

Recent examples have included supermarkets selling horse meat as part of the cheap food ranges, water companies polluting rivers and other water sources, and even the RSPCA who suffered high-profile complaints from celebrity supporters because of their policy of pursuing criminal cases against what were seen as vulnerable people for cruelty for animals.

Case History: Getting It Wrong: British Petroleum (BP) and Deepwater Horizon

One of the largest corporate crises of recent years was that of BP and the Deepwater Horizon oil spill. The leak from an oil well in the Gulf of Mexico led to the deaths of 11 people, and the largest oil spill in American history. The oil spill had a massive effect across the region, affecting sea beds, coast lines and local economies. BP was eventually fined $4.5 billion dollars, and put aside $20 billion for potential compensation claims (though it seems that hat will not be enough, and final figures may be much higher). In order to pay for the disaster, BP was forced to sell off major operations it held in Russia, and for as time it was even questioned whether BP would be able to survive as a company. The CEO, Tony Hayward, was the public face of BP, and it was his comment to a Congressional hearing in America that the response to the spill was extremely upsetting and ‘he wanted to get his life back’, together with a picture of him enjoying himself on a private yacht whilst the oils spill continued to destroy large parts of the US coastline, that meant that the public outcry against BP became as much of the story as the actual oil spill.

need to ask

One of the signs that a company has failed to understand the needs of effective crisis management is when their lack of leadership in a crisis situation becomes the story, rather than the actual crisis itself.

Examples of where leadership has been seen to be weak or ineffective include Hurricane Katrina in New Orleans, where both President George W Bush and Michael Brown, the head of the Federal Emergency Management Agency (FEMA), were seen as symbols of the failure of national agencies to respond more effectively to a major disaster. The failure of the political leadership in Japan immediately following the Fukushima earthquake and tsunami i March 2011 was another example of where national political leaders where held responsible for a weak response that did not safeguard the safety and wellbeing of the people after a major disaster.

Although the issue of effective leadership may be one of public relations as much as actual operational management, the perception that the leadership is in position, is taking hard decisions and has a clear view of how it can achieve its objectives is likely to have a significant impact on how the public perceives that organisation. Although many crises catch organisations by surprise, once they have been triggered there are a number of things that an organisation can do in order to give itself the best chance of creating an effective and well-received, crisis management response.

Creating the Corporate Response
The First Hour

One of the signs of how ‘crisis aware’ an organisation is, is how long it takes until they are prepared to acknowledge that a crisis exists. It is natural in any organisation to ’wait and see what happens’, but that often means that by the time the organisation does recognise a crisis, and starts to respond, the crisis itself has already grown beyond its original state, and has got bigger and potentially more dangerous. Because crises are, by their very nature, rare events, there is often a lack of experience in dealing with them, which means that most people do not know what it is that they should do in such a situation.

Because it is likely that any crisis will be accompanied by confusion and a lack of information, it is important that the very first stage of an organisation’s response should be well-understood, and rehearsed if possible. The initial response to a ‘crisis status’ should be almost automatic, with the critical top-level decision makers being informed; a communication system put in place (it is quite possible that the people who need to be in on that first conversation may be overseas, or on holiday, or it might be a Sunday morning and their mobile phones are turned off….), and a support team, led by a team leader, gathering as much information as possible and putting together a briefing for the decision makers as to what the current situation is, what is known, what is not known, and possible implications for future threats and actions. This Stage 1 process allows the organisation to bring the decision-makers together (even if it is only on a conference call), to assess the situation, and to put initial measures in place in preparation for the next stage.

The First Twenty-Four Hours

Within the first twenty-four hours of the crisis status being declared, there should be a clearer picture emerging of what the nature of the crisis is, what impacts it might have on the organisation and its operations, and whether it is likely to turn into a longer-term problem. The nature of the crisis will determine who exactly needs to be on the crisis management committee, but it would include managers from the HR division, facilities management, legal team, IT department, security team, as well as senior company executives. There may well be the need to include the PR department in the event that the crisis is not just an in-house affair, but could impact on the company’s reputation. These are the people who will put together the crisis response programme that will ensure the safety and well being of the company’s assets (both personnel and facilities), as well as it to put in place a recovery programme if necessary. From a crisis management perspective, it is important that the top team has an effective support team around it, to ensure that information can be brought in and decisions handed down as effectively as possible.

As in any crisis, it is likely that the initial period will suffer from a lack of information and a clear idea of what exactly has happened, who has been caught up in it, and what the wider implications are. It is one of the functions of the crisis management team to start developing a picture of what the situation is and how they can best respond to it, which in turn will reassure all stakeholders (staff, family members, shareholders, business partners and the wider public) that the leadership of the organisation has taken effective control.

The First Forty-Eight Hours

Within forty-eight hours the crisis management framework should be in place, and should have settled into a routine that would enable it to carry out its functions whilst allowing the rest of the organisation to carry on with its normal business (as much as possible).

Once a crisis has gone beyond forty-eight hours, there are issues such as rotation of teams (everybody has to go to bed at some time!), collation of information (it is likely that there will be a review after the crisis is over, and it is important that all information concerning decision making is kept safe, as that will be an important part of any review that is held), as well as coordination with a wide range of other departments, both within the organisation and with other organisations, inside the country and overseas.

The structure of the crisis management team should have become clearer, with clear lines of responsibility for the management of the overall crisis response, and for reporting to the main board, if appropriate. The operational issues would have become clear, together with possible options for response. In short, at the end of forty-eight hours, the initial adrenaline shock of the crisis event should have passed, and the organisation should have returned to some level of operational normalcy.

Finding Positive Examples

For any security manager, the opportunity to find strong examples of good working practices should never be passed up. Next time that there is a major disaster in the news, look at how the various organisations involved in that manage the situation. Which are the ones that have clearly prepared for it, and which are the ones that don’t know how to react? How quickly does a sense of normalcy return? How well do they manager the media? Who gives an impression of effective leadership and who looks lost? Who do you trust that they know what they are doing?

The lessons that you will learn from observing others in what are, hopefully, rare events will give you valuable insights into how you can best prepare your own organisation for such a situation, and how you can make the most effective contribution to business recovery in the event that you are ever caught up in a similar scenario.

need to ask

Summary

It would be nice if crises gave you a warning, and though this sometimes happens, the usual situation is that it comes as a complete shock. The ability of the senior decision-makers to acknowledge, assess and make effective decisions, even when there is a lack of information, high levels of confusion and extreme pressure (with the risk of catastrophic losses), is critical to the eventual outcome. Although each individual crisis is unique, prior planning and the development of a ‘risk aware’ culture will set the foundation for effective crisis response, whatever the triggering event may be.

need to ask

Main Points

  • Any organisation, however rich, powerful or popular, can lose everything within forty-eight hours once a true crisis strikes
  • The most important stage in the crisis cycle is ‘crisis recognition’. This is the time is takes for an organisation to recognise that there is a crisis, and is a crucial factor in the effectiveness of the initial response
  • The first stage of the corporate response should be an automatic process, bringing together decision makers who can assess the situation and decide on an initial strategy
  • The first stage of crisis response is likely to be ‘What happened?’ rather than ‘What shall we do?’. The quicker that picture can start to be built, the quicker an appropriate response can be developed, and the more effective it will be
management solutions

DTR004 Business Continuity Management

This module will take you through Business Continuity Management.

  1. Introduction
  2. Objetivos del BCM
  3. Back-Up Facilities
  4. Communications
  5. Decision-Making
  6. Stabilisation
  7. Testing and Verification
  8. Summary
  9. Main Points

The information in this document is part of the Deltar
‘Level 4 Management Award in Advanced Risk and Crisis Management’

Introduction

Given the fact that crises are usually large scale, unexpected and to a large degree outside of the control of the security manager, it is likely that any crisis that does occur will have a major impact on the operations of a company, including widespread disruption or even total collapse.

Business Continuity Planning (BCP) and Business Continuity Management (BCM) are two aspects of the recovery stage of the post-crisis response that will almost certainly involve the security management team. This section will look at some of the basic requirements of any BCP and BCM programme, but for more detailed information you can refer to International Standard ISO 22301:2012, which give a full insight into the requirements of corporate BCM.

The purpose of Business Continuity Planning is to ensure that there is a framework that can be used to maintain the operations of the company under the widest possible range of risks. However, however well they may be planned and written, anything which is more than a routine situation will involve a significant level of disruption and confusion, and will need the written BC plans to be adapted to the reality of the situation that the managers are facing. This is more evident the larger the organisation is, especially when the deployment of the BCP goes beyond a matter of personal discussions, and requires high levels of multi-division coordination. The need to utilise BC plans at the same time as maintaining the core functions of a business’s operations, is always going to be a process that tests a security managers skills to the limits.

As in any security management programme, the first stage in developing a business continuity plan is to carry out a risk assessment, so as to identify what sorts of risks might need to be planned for. Each of these identified risks would affect the operation in a different way, but they all share the common quality that they would cause significant disruption to the ability of the company to manage its business on a normal basis. In a typical city office that might include IT failure, flooding, terrorist threat, transport failure (so that employees can’t get in), rioting, power failure, etc. For a company that runs overseas operations, identified threats might include natural disasters, political upheaval, social unrest, terrorism, organised crime, K&R (Kidnapping and Ransom), or any of the other risks that might be identified depending on the specific geographical, political and social environment within which it is operating.

Objetivos del BCM

The development of a BCP will always be something that involves a high level of collaboration with a wide range of other divisions, and it is the ability to coordinate different divisions that might not normally have a close working relationship that will set the foundation for effective shared decision making and delivery of solutions in the event that a major business disruption was to occur.

Back-Up Facilities

One of the first questions that any BCP will pose is ‘What would we do if our present facilities became inoperable?’. That might be because of something directly connected to the building – a gas leak, for example – or it may be something that you get caught up in that actually has nothing to do with you. There may be a terrorist attack in the next street, but your building is inside the inner cordon that has been set up, and you may not be able to have access to that site for days or even weeks, or you may share your building with a major petrochemical company that becomes the target of sit-in protestors or a hostage situation.

In the event that you did need to move your operations to another site, it is critical to the success of that move that everything that you need is already in place. One weakness of many BCP’s is that they presume that they will be able to do something that actually is not the case. They may presume, for example, that people will be able to access the building in order to retrieve computer files or other documents. However, as a security manager, it is important that you look
at your BCP with honest eyes, and don’t make presumptions that would certainly make your life easier, but actually are not likely to happen if a genuine situation was to arise.

Communications

As in any ‘non-normal’ situation, communication is the absolute key to getting things done. However effective the BCP might be, there will always be the need for a large amount of communication between all the various stakeholders, who will be assessing the situation and adapting the BCP according to the specific and immediate needs. As well as the need to communicate with the other people involved in the BCP – and that is likely to be all employees, in one way or another – there is also the need to communicate with clients and suppliers, to reassure them as to the current situation and as to how long it will take to resume normal operations (or at least, as near to normal as possible).

Decision-Making

As in any crisis management situation, events on the ground may require fast and decisive decision making, and one of the main causes of failures in BCP is the fact that it is not clear who has the authority to make decisions, and to what level. Many of the actions that will be taken will need to be paid for – getting specialist cleaners in to clean up your office after a flood, hiring coaches to take your staff to the new offices, paying for hotel rooms and meals, hiring a third party supplier (TPS) to supply emergency communications networks, etc. If each of these questions leads to significant delays in making the decisions and putting the actions into place, then it is clear that there will be an accumulative delay that will mean that the BCP itself will become increasing ineffective and the situations that you are facing will become increasingly serious and difficult to respond to.

Stabilisation

It is likely that the impacts of the events that lead to the triggering of the BCP will have a ‘long tail’, in that they will continue to affect your operations for a long time after the initial problem. However, even if you may not be able to restore the whole operation to the status that is was before the crisis started, one of your objectives is to reach a stage where normal activities can carry on, as best as possible, whilst the rest of the recovery programme runs in parallel to that.

Testing and Verification

Given the potential level of impact of the failure of any BCM programme, a critical part of any organisation’s BCP is the testing and verification of any BCM programme that has been developed. Although it is clearly impossible to fully recreate the conditions that would be present in a full-blown crisis, it is still possible to test the programmes and the ability of critical staff to implement them through a series of progressively more complex and challenging scenario-based training.

As an example of a simple verification exercise, one of the problems in any BCM plan is that the information is held on it changes. People move jobs or leave the organisation altogether, functions are moved to different offices, there are corporate reorganisations so that reporting chains may change, entry codes to various locations may be changed. This is all critical information that is fundamental to the effective management of any BCP.

Given the level of organisational stress that is involved in any BCM operation, together with confusion and personal pressure, the impact of such out-of-date information is almost impossible to calculate. To phone someone up who is listed as the Business Continuity Director of a particular division, only to find out that that number no longer exists because that person left the company two years ago, is not helpful, to say the least. A significant issue in the testing and verification of BCM plans is that the information that they hold is reviewed, updated and checked.

On a practical basis, the way that BCM plans can be tested (and then improved, based on the lessons learned), is to hold regular table-top exercises that allow people from different divisions to work together in making decisions, putting plans in action and creating a general corporate-wide business continuity capability. These exercises do not need to be overly complicated, and they certainly do not need to be high-tech, but they should bring as many people together as possible to find out how they can best work together, as they identify potential problems, and create enhanced capability at every level of the operation.

Summary

It is in the nature of crises that they tend to be unexpected, and there is never a good time to have one! However, the better the planning and preparation for dealing with them, the more likely it is that the organisation will be able to survive the initial shock. They will then be able to utilise their BCP to deliver a response that will ensure the safety and well being of staff at the same time that they maintain the operational functionality of the organisation to the greatest degree possible. They can then use BCM to stabilise and reassess, making the necessary decisions that will enable them to return to normal operating status as smoothly and effectively as possible.

Main Points

  • The underlying standards for BCM is covered by ISO 22301:2012
  • Effective BCP is something that is on-going, rather than a single event
  • All plans showed be reviewed, checked and updated on a regular basis
  • BCP’s are only paper – it is people that make them work.
  • The more you test and revalidate your plans, through table-top exercises and other similar training events, the more effective your response will be in the event that is it is required
management solutions

DTR005 Crisis Management and Social Media

This module will take you through Crisis Management and Social Media.

  1. Introduction
  2. Uses of Social Media
  3. Case History: Social Media and the Queensland Floods
  4. From the Queensland Police Social Media Report
  5. Basic Services
  6. Why Did It Work?
  7. The Benefits of Social Media in a Disaster
  8. Lessons Learned
  9. Summary
  10. Main Points

The information in this document is part of the Deltar
‘Level 4 Management Award in Advanced Risk and Crisis Management’

Introduction

Of all of the developments that have had an impact on crisis management over the last ten years, one of the most significant has undoubtedly been the rise of the use and availability of social media.

If we think of the events of September 1st 2001, with the attack by the two planes on the World Trade Centre in New York that marked the start of the modern security management era, then the vision that you have of that event will undoubtedly have come from iconic images that you saw on the television. If you think to the Boston marathon bombing that took place in June 2013, then the likelihood is that the images that you have in your mind from that event are not from some centrally controlled television broadcaster, as sent to them by a professional news crew, but rather pictures taken on people’s mobile phones and uploaded almost instantly onto the internet.

The ability that modern social media has to connect people instantly across the globe is something that we are still coming to terms with, but from a security manager’s perspective it is undoubtedly one of the most powerful tools that they have for accessing, managing and controlling information on a whole range of levels. The use of social media, that is, shared open access media such as Facebook, YouTube and Twitter, as well as SMS texting systems, is something that is still developing as it concerns crisis and emergency management, but it is generally accepted that the first ‘social media disaster’ was the Haiti earthquake in January 2010.

Haiti was an example of a ‘true crisis’ in that there was an almost total destruction of local infrastructure, and complete lack of reliable information sources. For many companies with employees in the area, social media was the only way that they could communicate with them, assess their needs and maintain an on-going dialogue throughout the early days of the disaster. Even for international news agencies, such as the BBC, social media was one of their main sources of information.

Uses of Social Media

In general terms, social media can be used in one of three ways. It can be used to ‘push out’ information, that is it can be used by the central command or headquarters to send out information to everyone it is connected to. As an example, it could be used to inform the public of an emergency telephone number, or where the meeting point for an evacuation might be. Secondly, it can be used to ‘pull in’ information, using its network of connected people out in the world to supply information. In the event that there is a flood, for example, social media is an excellent way of understanding what is going on with outlying facilities, what the damage has been, what the impact has been and what steps need to be taken.

Another example is if an incident has occurred in a foreign country, and you need to have local information translated into English. It is possible that you do not have a native-speaker within your own organisation, but that is something that is easily accessible on social media. The third use of social media is to monitor general situations through ‘crowd sourcing’, that is, by plugging into the world-wide online community and seeing what other people are talking about.

As one journalism blog reported, the power of crowd-sourcing can be seen by the fact that within 48 hours of the Haiti earthquake, the ‘Earthquake Haiti’ Facebook group had 170,000 members, and the Red Cross, whose previous largest fundraising campaign had raised $190,000 had raised $8 million within the first three days through social media.

However, as with any aspect of crisis management, however powerful social media might be, it doesn’t just happen. It is the ability of an organisation to understand how it works, how it can be used, and what effect it might have that allows it to become the powerful tool that it has the potential to be.

The design and use of social media is one area of security management that requires expert knowledge, and any system that it designed by non-experts is likely to be less than optimally effective (and actually, may well fail completely) under the pressure of a crisis situation. In order for it to be effective, the use of social media needs to be woven into the fabric of a company’s daily routines, so that if a crisis does occur, everyone is already familiar with social media and comfortable with how they can use it.

Case History: Social Media and the Queensland Floods

One organisation that was an ‘early adaptor’ of social media, and has subsequently had it tested in genuine crisis situations, is the Queensland State Police Department in Australia. They initially established a presence on Facebook, Twitter and YouTube in May 2010, and had an opportunity to test it out in real-time conditions only six months later.

Heavy rains in December 2010 started to affect wide areas of Queensland, the second largest state on the continent, and by December 24th a state emergency had been declared. On 10th January 2011, a flash flood that was described as an ‘inland tsunami’ occurred that led to significant and wide-spread flooding. By the second week of January, 200,000 Queenslanders were flood-affected and three-quarters of the state was declared an official disaster zone. This was a perfect scenario to test the effectiveness of social media, given the wide geographical spread of the disaster and the isolated position of many of the people affected.

The police were able to use social media to inform the general public of the developing situations, with real-time updates on an almost minute-by-minute basis. However, they were also able to use social media to monitor the situation based on reports that were coming in from people that were on the front-line, and were immediately aware of changing conditions. However, a third impact of social media was the creation of a genuine community feeling, giving that everyone on the media sharing sites were aware that they were listening in on experiences that were terrifying and devastating for the people involved.

Lessons Learned from the Queensland Experience

The Queensland State Police Department put out a report following the flooding, outlining the development programme that they had used and identifying some of the lessons that they had learned. It gives a one-document outline of how social media can be used, if designed properly and managed effectively. This outline could be used by any organisation that is looking to develop its own social media presence.

From the Queensland Police Social Media Report

  • Acting as a centralised clearing house for disaster-related information through Facebook and Twitter as soon as it became available, including details on behalf of other departments and authorities
  • Live video streaming of the Brisbane-based disaster-related media conferences on the QPS Facebook page with the video subsequently posted on the QPS YouTube channel
  • Live Tweeting key points as they were made in briefings and in these media conferences
  • Uploading bullet point summaries of the media conferences to the QPS Facebook page shortly after their conclusion
  • Uploading at least daily audio updates to Facebook from local disaster coordinators around the state
  • ‘Mythbusting’ of misinformation and rumours in the media and community
  • Tweeting most QPS Facebook posts generally using the #qldfloods, #TCYasi or #mythbusters hashtags
  • Providing 24/7 moderation of the QPS social media accounts, responding to inquiries from the public where possible
  • Coordinating sign language interpreters to assist with most media conferences
  • Coordinating the translation of media conference summaries into other languages for affected tourists and relatives based internationally

Why Did It Work?

  • Police Media had high-level organisational support, including from the Commissioner and Deputy Commissioners
  • Social media had a champion in the Executive Director of the Media and Public Affairs Branch who championed its benefits from within the QPS Senior Executive and set the direction for the media and public affairs team
  • Police Media was fortunate enough to have the benefit of a seven-month trial in which the team was able to become comfortable with its use and imbed it as part of its daily processes prior to a disaster occurring
  • Through circumstances Police Media was able to quickly prove the worth of social media during two major disasters.

The Benefits of Social Media in a Disaster

  • It is immediate and allowed Police Media to proactively push out large volumes of information to large numbers of people ensuring there was no vacuum of official information
  • The QPS Facebook page became the trusted, authoritative hub for the dissemination of information and facts for the community and media
  • Large amounts of specific information could be directed straight to communities without them having to rely on mainstream media coverage to access relevant details
  • The QPS quickly killed rumour and misreporting before it became “fact” in the mainstream media, mainly through the #mythbuster hashtag
  • It provides access to immediate feedback and information from the public at scenes
  • The mainstream media embraced it and found it to be a valuable and immediate source of information
  • It provided situational awareness for QPS members in disaster-affected locations who otherwise had no means of communications.

Lessons Learned

  • If you are not doing social media, do it now. If you wait until its needed, it will be too late
  • Rethink clearance processes. Trust your staff to release information
  • Add a social media expert to your team. While there should be shared responsibility for uploading information and moderating social media sites, expert technical advice and trouble-shooting will be necessary from someone with an IT background
  • Do not treat social media as something special or separate from normal work processes. It should be integrated as standard practice
  • Do not use social media solely to push out information. Use it to receive feedback and involve your online community
  • Established social media sites are free and robust which can handle volumes of traffic much larger than agency websites
  • Ensure that information is accessible. A PDF is not the most accessible way to deliver information.
  • Machine-readable information such as geocoding allows the information to be more accessible and usable for others.

Summary

The growth and spread of social media has been one of the most significant developments in crisis management and disaster response over the last few years. In a world that is increasingly dependent on fragile communication systems, it offers a genuine opportunity for security managers to create a self-managing and extremely robust crisis management system that is likely to be functional and effective when other systems break down. As in any security management system, the way that the use of social media is developed and managed has to take into consideration the culture and strategic objectives of the wider corporate organisation, but it should be something that is at the heart of the security departments strategic development programme.

Main Points

  • In the present world, were the management of information is a crucial aspect of any security operation, social media is a tool that can’t be ignored
  • Social media is not something that can just be added on. It has to be developed and managed in the way most appropriate to each organisation
  • The effectiveness of social media is dependent on the ease with which people can access it and contribute. It should be a genuinely open-source network
  • In the event that a genuine crisis does occur, social media may well be your best – and quite possible your only – way of communicating with your people spread out across the world. Make use of it!
management solutions

DTR006 Self-Auditing for Crisis Management

This module will take you through Self-Auditing for Crisis Management.

  1. Introduction
  2. Ten Questions You Need To Ask (And Answer!)
  3. Summary
  4. Main Points

The information in this document is part of the Deltar
‘Level 4 Management Award in Advanced Risk and Crisis Management’

Introduction

Although crises are usually large-scale, fast escalating and highly impactful, with the possibility of catastrophic failure always a possibility, the truth is that many crises are actually the result of a failure of an organisation to respond to what are relatively minor and actually quite well understood problems. We could say, therefore that the cause of the crisis is not the outside event, but the capability gap that leads to a failure to either recognise the potential crisis in time, or to respond effectively once a crisis has been triggered.

If you look at whatever crisis is making the media headlines as you go through this module, it is likely that the underlying cause of that situation is inbuilt weaknesses within that organisation that are known, and have been known for a long time, but which have not been dealt with. It is also possible that not only has the problem been known, but that the organisation that is suffering from the crisis has actually spent a significant amount of time and energy in either ignoring the problem, or in actively covering it up.

This section will look at ways in which you can check out your own organisation for inherent vulnerabilities, decide whether the right level of crisis management awareness and capability has been achieved, and identify exactly where the weaknesses and vulnerabilities lie which are almost certain to lead systems breakdown in the event that a crisis event is triggered.

10 Questions You Need To Ask (And Answer!)

  1. Is there a clear understanding of the three levels of crisis management, and do the people who would be expected to fulfill those roles have the necessary skills and capabilities?The Strategic level is composed of the decision makers who are brought together in the first few hours to map out the company’s response. The Tactical level are the managers who would be expected to work together to put together a crisis management plan, and the Operational level consists of the team leaders and people on the ground who would put that plan into practice.Although this makes it sound quite simple, the ability to work effectively on all three levels is something that often falls apart in the pressure of crisis response, and it is the failure of the organisation to have a robust crisis management framework that actually causes many of the subsequent problems.
  2. Can you get the right information to the crisis management team?The problems in most crises is not that there is not enough information, but that there is an overload of information, much of which will be contradictory, and all of which needs to be assessed and judged as to its accuracy, its relevance, and its place in the overall picture. The presence of a team that can sort that information, and pass it on in a structured form to the decision-makers will be a critical step in creating an effective crisis management framework.
  3. Are you able to create effective multi-division teams, and are they able to make decisions and put plans in place?A crisis management team will inevitably be made up of a wide range of different groups, many of whom will not have worked closely together before, and some of which will have extremely differing cultures in terms of decision-making, authority and chains of command. The effectiveness of the Crisis Management Team is dependent on having a structure that allows those different groups to be integrated into a single team, and to develop effective working procedures that would allow different groups to work together in as seamless a manner as possible.
  4. How do you manage the ‘Time Gaps’?There are two significant ‘Time Gaps’ in any crisis management situation. The first is the time that it takes for an organisation to realise that there is actually a crisis event in place, and that it is rapidly escalating. The second is the time that it takes between that realisation, and the decision to do something about it. The more effectively an organisation manages these two time gaps, the more effective their response will be.
  5. Do you trust the people on the ground to make decisions?Once a crisis has occurred, it is often a natural reaction for central management to try and control the situation, creating plans and issuing orders. In fact, this is likely to be an ineffective management model, and it is almost always more effective to allow the people who are closest to the situation to assess the needs and develop appropriate responses. It is a basic truth of crisis management that the further away the person making the decisions is from the actual scene of the operation, the less effective the decision-making will be.
  6. Do decision makers have the necessary experience?In crisis situations, people tend not to make decision in an analytical way, but rather through using their own experience to ‘recognise’ a situation, to develop immediate ‘best option responses’, and then to adjust those as more information comes in.. However, the effectiveness of such ‘intuitive decision making’ is based on the experience of the practitioner. If the person in that position does not have the necessary experience, the likelihood is that both their intuitive decision making and their analytical decision making will be flawed.
  7. Can you control the overwhelming amount of information coming into the system?The single most important function of any crisis management operation, and the single most common cause of failure, is the ability to manage the flow of information around the system. The crisis situation is likely to be unstable, and changing on a continuous basis. There will be new information coming in, changing priorities, requests for clarification, needs to coordinate and collaborate between different teams, etc. Anything that creates blockages, delays or confusion within this process is likely to have major and significant impacts on the final outcomes.
  8. Can you manage your relationship with the outside world?Although the immediate requirements of the crisis situation may be taking up all your time and attention, it is also important to remember that there may well be a wide range of other stakeholders that you need to manage. These could be suppliers, customers, clients, partners, other companies in your sector, media outlets, regulatory bodies, etc. If the impression is given that that organisation is not in control of the situation, then the focus of attention will no longer be on the crisis event, but rather on the failure of leadership in response to that event. This can happen at even the highest level of global management, and with people who have unlimited resources at their disposal.Obvious examples are President George W. Bush in response to Hurricane Katrina, the Japanese government in response to Fukushima, or the response to failures in leadership by G4S in relation to the 2012 London Olympics or Tony Hayward in relation to BP and the Deepwater Horizon oil spill. Once an organisation’s leadership is forced to be defensive about its own actions, it is almost impossible to recover the initiative.
  9. Have you prepared properly?Crises do not have to end in failure, and in fact, can be seen as opportunities. Security managers who have been given the support to develop effective crisis management capabilities will not only protect their organisations, but will give them a significant competitive edge in the event that they are challenged by a major crisis situation.However, as important as the individual skills are, it is the corporate risk attitude and culture that will have the greatest impact on the ability of the organisation to identify potential crises at the earliest opportunity, to respond in a timely and appropriate manner, and to embody the concepts of organisational resilience that will allow the speediest recovery in the post-crisis period. Real crisis management does not start when a crisis is discovered, but is an embodied value intrinsic to every aspect of an effective organisation’s operation.
  10. ??????These are only some of the possible significant questions you need to ask. We have left the tenth question free, so that you can add your own.

Summary

Crisis management is perhaps the greatest test of a security manager’s skills, and yet it is often the area where we have least training and preparation. Most of the activities that fill a security manager’s day are routine, and in fact it has been said that whatever your job might be, you will probably spend eighty per cent of your time managing the same five things.

If there is one thing that any serious security manager should recognise, it is that the vast majority of crises don’t just happen – they are caused, and the main reason that they are caused is through weaknesses in that organisation’s own management procedures. Creating effecting management protocols, and developing the ability to recognise the causes of potential crises before they escalate into actual crises, is perhaps the greatest service that a security manager can provide to their organisation.

Main Points

  • Although crises are large-scale dramatic events, they are almost always the result of a series of minor problems that are ignored or deliberately hidden
  • Crisis management can be prepared and practiced. Use the checklists in this section to identify where your own organisation might have institutional weaknesses
  • Crisis management will always involve high levels of cooperation and collaboration. Make sure that the other divisions that you will need to work with understand what is needed in crisis situations
  • You are the security manager. Accept the responsibility. Do not leave it to someone else less able than you to do it!

DTR007 Introduction to Risk, Resilience and BCM

This module will take you through Introduction to Risk, Resilience and Business Continuity Management.

  1. Introduction
  2. The Changing Nature of Modern Risk Management – Complexity
  3. The Three-Stage Risk Management Cycle
  4. Centralized Management
  5. Emergency Incident Management
  6. Business Continuity Management
  7. Business Continuity and Crisis Management
  8. Corporate Risk Management and Decision- Making
  9. Planning, Training and Exercising of Gold, Silver and Bronze Levels
  10. Risk Management System based on the ISO 31000 Standard
  11. Organisational Resilience Management

The information in this document is part of the Deltar
‘Level 4 Management Award in Advanced Risk and Crisis Management’

Introduction

Modern risk management has changed significantly over the last twenty years, and it can be said that 21st risk management is so different from previous generations that it can be seen as a subject demanding its own specialist skills and study.

Many security and risk managers have ‘learned their trade’ by doing the job, and although there is now an increasing range of professional courses, qualifications and even advanced academic degrees in risk and crisis management, the simple truth is that many people who are tasked with increasingly complex roles in organisations, including risk management, business continuity management , resilience, and crisis management, have not been give the skills, training or experience to truly understand how such roles should be fulfilled.

The purpose of this course is to give participants an insight to all of the major functions of a modern risk and crisis manager, including planning, team development, capability development and response management. It will enable them to return to their organisations with the knowledge and skills that will allow them to take leadership in all aspects of risk and crisis management, and to have a clear understanding of what is required in order to plan for and respond to the widest range of potentially disruptive events.

The Changing Nature of Modern Risk Management – Complexity

If there is one factor that is central to the study of modern risk and crisis management, it is complexity. The world itself is more complex, the nature of the problems and challenges we are facing are more complex, and the nature of the solutions that we are required to deliver are more complex.

These are critical issues that the modern risk manager needs to be aware of, and it is the overarching objective of this course to provide participants with all of the tools, skills and capabilities they need in order that they can take leadership in their own organisation for all aspects of security and risk management, offering the same level of professionalism as would be expected from the senior managers in any other division.

The Three-Stage Risk Management Cycle

Classical Risk management is based on a well-recognised three-stage management process, namely Risk Assessment, Risk Control and Contingency Planning.

Each of these sections has its own models and templates, but are designed to deliver an integrated, rational risk management programme that will allow the risk managers, the organisation as a whole and the individual departments within it to identify potential problems, to initiate protocols and processes that will minimise the risk of those events happening, and then will give the organisation the widest range of response option that can be used in the event that such an event was to occur.

Centralized Management

The challenges and pressure associated with risk management means that special thought must be given to the management structure itself. As an example, what level of authority is given to lower-level teams, or those that are working farther away, and what level of authority is maintained by the central management structure? It must then be asked whether these are appropriate to both normal operating activities and to emergency management, or whether there is a need to have the ability to adapt those management structures depending on differing circumstances.

Each event will require a unique response, and the ability to create a response management framework that is most appropriate to the scale, intensity, duration and impact of each event is one of the fundamental challenges for all emergency response managers.

Emergency Incident Management

Once an incident does occur, there is the need to have automatic response protocols in place that can be triggered to manage the response to the initial stage of the incident, whilst information can be gathered, decisions made, plans formulated and responses agreed.

The development of such plans is a critical function of security and risk management, and will be a significant issue in deciding how effective an organisation is in responding to such an incident if it were to occur, and in deciding how effective the organisation would be in safeguarding its own operations, functions and capabilities.

Old and New Versions of Incident Command Systems

The technology has changed, but the objective remains the same:

  • Gather information
  • Create a plan
  • Communicate with teams on the ground

Business Continuity Management

Business Continuity Management (BCM) covers both the development of BCM plans, also called Business Continuity Planning (BCP), and the management of the response once an unwanted event has occurred. The purpose of both BCP and BCM is to ensure that the organisation has the capability to respond to the widest range of possible events in the most robust and resilient manner, in order to maintain its functionality, and in the worst case, its continued existence.

Given the high level of dependency that any organisation has in the current world on outside factors, the ability to develop effective business continuity management plans is also critical in identifying potential critical failure points that can then be managed pro-actively before a potentially disastrous event occurs. From this perspective, BCP is part of the organisational strengthening cycle rather than just a set of plans that are used once an event has occurred.

One of the issues at the centre of all business continuity management is the issue of risk communication. Different people have a different attitude to risk – some are more risk averse, in that the prioritise the known and safe over possible new opportunities that are unknown and made be considered potentially risky, and others may see the same opportunities as being worthwhile in terms of the potential benefit, and believe that the risks themselves can be managed in an effective way.

The ability to discuss such matters in a way that allows everyone to understand the issues involved, and come to an agreed position, is at the basis of risk communication, and allows different risk management strategies to be considered that will then allow for the appropriate balance between managing the risk but not cutting off future opportunities that would otherwise be utilised by potential competitors.

Business Continuity and Crisis Management

Corporate risk management involves a wide range of different functions, including Risk Management, Incident Management, Emergency Management, Business Continuity and Crisis Management. In order to have an effective risk and business continuity management capability all of those functions need to be integrated into a single framework that allows the knowledge and capabilities held by each individual unit to contribute to the greater safety and security of the organisation as a whole

Corporate Risk Management and Decision- Making

However well-designed the corporate risk management programme might be, when an actual situation occurs, there is often an inability to make effective decisions give the stresses and pressures associated with an actual incident occurring in real time, with the potential negative consequences of any decision that might be taken. Just as an individual can freeze when put under pressure, so can an organisation. These are issues that must be considered as part of the risk management planning process, and the better that an organisation, and the critical decision-makers understand these challenges, then the better prepared they will be to take those decisions when required.

Planning, Training and Exercising of Gold, Silver and Bronze Levels

The basis of any skill development is structured practice, which can then be tested at increasingly challenging and complex levels. It is no different in risk and security management, and one of the critical parts of the business continuity management development process is structured training and exercising that will ensure that each individual unit understands their roles and responsibilities, and has the necessary skills and capabilities to deliver those functions, but which will ensure that they also have an understanding of how they integrate with other units around them.

Business continuity management is always an issue of multi-team response and integration, and the more effective the training programme, the more effective will be the actual service delivery once they are needed in the face of an actual situation.

The training itself can be developed from simple, exercises designed to develop and then test skills, but which will then become more complex, so that eventually every level of the decision-making structure including Gold (Strategic), Silver (Tactical) and Bronze (Operational), will understand all of the issues associated with complex operation management, and will have the skills and capabilities to work together effectively as a single unified response team.

Risk Management System based on the ISO 31000 Standard

ISO 31000 is accepted as the international standard for risk management and associated activities. Rather than being a detailed management programme I itself, ISO 31000 identifies critical areas that need to be addressed, and offers a checklist against which any organisation can measure its own current risk management practices, and can be used as a template for future risk management development programmes.

Organisational Resilience Management

However well developed an organisation’s risk management programmes are, the world is full of examples of situations where the risk management capabilities were simply not strong enough to survive the shock of an actual emergency incident. The final issue in risk management and business continuity management is ensuring that the organisation itself, and all aspects of its BCM programme, is robust enough to operate in the widest range of potential situations.

DTR008 Introduction to Security and Risk Management

This module will take you through Introduction to Security and Risk Management.

  1. Introduction
  2. 1.2 Security, Freedom, Threat: The Three Basic Concepts of Security Management
  3. 1.3 What is the Correct Level of Security?

The information in this document is part of the Deltar
‘Level 4 Management Award in Advanced Risk and Crisis Management’

Introduction

In a hundred years’ time, when the history of the 21st century comes to be written, the first decade of the century may well be called ‘The Age of Security’. Although security has been a fundamental consideration since the beginning of human history, security has come to play an increasingly central role in all aspects of our lives in the recent past. This has affected, amongst other things, the way we live, how we travel, how we communicate and the way we move money around.

The role of the modern security manager has also had to adapt to the emergence of new threats and challenges. The traditional role of the security manager was often seen as being limited to ensuring that windows and doors were locked, and preventing goods from being stolen. However, the modern security manager faces a wider range of tasks and challenges. It is not uncommon for security managers to be called upon to deal with situations involving terrorism, cyber-security, crisis management and the personal protection of senior executives, as well as more traditional tasks around physical security (fences, lighting, locks, CCTV, access control systems, alarm monitoring and control room design).

As well as that, the modern security manager also faces the need to operate in a tight financial environment. Unfortunately, security is often seen as a ‘non-productive cost’, and security managers need to fight their corner at Board room level to ensure that their assets, personnel and budget are not cut.

However, whilst the security manager faces increasing challenges due to the changing nature of the world, there bare also increased opportunities. It was not so long ago that the corporate security manager (who in those days would invariably be a man) would be a retired police officer who found work through the Old Boys network, and who mainly saw the work he was doing as an extension of their police activities. The modern security manager, however, is expected to be able to demonstrate the same level of professional development and technical excellence as any other senior expert in the company.

The purpose of this programme is to ensure that you, wherever you are in your security career, will have a full understanding of all of the major issues in modern security management. Whatever your present level of operation or future aspirations may be, this programme is designed to give you the basic framework that will allow you to understand how the various components of modern security management fit together. All of the Modules can be approached as stand-alone subjects, but just as in security itself, you will find that many of them use the same basic concepts of security management, and there may be areas where the language and concepts overlap each other.

1.2 Security, Freedom, Threat: The Three Basic Concepts of Security Management

If we want to find an all-encompassing definition of security, one that would be valid under any circumstances, it would be something along the lines of: ‘The purpose of security is to create a safe environment where routine activities can be carried out in as normal a way as possible, in accordance with the perceived level of threat’.

By using this definition, we are introducing the three basic concepts that are the foundation of all security management programmes, namely:

  1. Security
  2. Freedom
  3. Threat

These concepts apply whether you are locking your bicycle to a railing, putting defensive fencing around a nuclear power station, protecting a VIP or using an access control system into a multi-usage commercial building. The first two concepts, Security and Freedom, are inseparably linked. If you want more security, you will pay for that in freedom. If you decide you need to have more freedom (for example to move in and out of a building without showing a pass, to use a private laptop in the workplace, or to allow cars to park near your building), then that will inevitably mean that you will have a lower level of security than if those things had not been allowed.

Therefore, the question that all security managers need to address is ‘How much security do I need?’. In order to answer this seemingly simple question, we have to ask another question in return: ‘What is the threat?’. Unless we have an understanding of what is the level of threat, we have no way of assessing what level of security would be considered appropriate.

Airport security checks are an excellent example of this principle. The perceived high risk of attacks against airlines has led to governments across the world increasing the levels of security at airports. However, this has had direct impact on our freedom, for example we cannot take liquids and other material onto planes, and / or we have to undergo what might be considered as intrusive security checks, including removing belts and shoes and, more controversially, undergoing full-body x-rays.

1.3 What is the Correct Level of Security?

Given the potential impact of a successful terrorist attack, it is not surprising that there have been fierce debates concerning the correct balance between security and personal freedom.

Arguments made in 2006, following the attempt to use ‘chemical bombs’ on ten airliners travelling from UK to United States and Canada saw politicians, who wanted to introduce laws such as ID cards and extended period of detention with arrest for suspected terrorists, clash with judges, who felt that these new rules were outside of the normal British legal system, and were disproportionate to the actual level of threat.

UK Home Secretary John Reid made a speech that stated that Britain was ‘now facing the most sustained period of sustained threat since the end of the second world war’. Reid went on to state that critics of the government anti-terror legislation were putting national security at risk. The Court of Appeal disagreed with this, and stated that there was no justification for the declaration of a state of public emergency, and that therefore ‘Terrorist violence, serious as it is, does not threaten our institutions of government or our existence as a civil community’. In the same judgement, Lord Hoffman, made his famous announcement that ‘The real threat to the life of the nation . . . comes not from terrorism but from laws such as these’.

As a security manager, one of your fundamental roles will be to assess the actual level of threat, and strike the appropriate balance between the freedom required by your organisation and personnel to carry out their normal duties, whilst monitoring or controlling those activities in order to ensure the right level of security cover is provided.

DTR009 Risk Management Strategies

This module will take you through Risk Management Strategies.

  1. Introduction
  2. Five Risk Management Strategies
  3. Avoid
  4. Reduce
  5. Share
  6. Transfer
  7. Retain
  8. Summary
  9. Main Points

The information in this document is part of the Deltar
‘Level 4 Management Award in Advanced Risk and Crisis Management’

Introduction

Although the overriding objective of Security Management could be encapsulated in the slogan ‘Reduce Risk, Increase Safety’, deciding which is the most appropriate approach is dependent on a wide range of factors, including operating environment, organisational risk culture, resources, management support , potential loss and other (competing) strategic objectives. For example, it may be part of the company’s strategic objectives to develop operations in new markets in Eastern Europe or Africa. There would obviously be a risk associated with these moves that would not be applicable in working in a UK or a developed western European market. However, it may be that these additional risks may be considered as acceptable by the company’s management within the context of the business development project, and it would be the responsibility of the security manager to develop an appropriate strategy to manage those risks in line with the company’s wider strategic objectives.

Given that it is impossible to completely eliminate risk altogether, there comes a time when there must be an acceptance of a certain level of risk – or at least, uncertainty. In order to keep risk management relevant to situations in the real world, there is a recognised concept of ‘As Low As Reasonably Possible’ (ALARP). This means that whilst we have a responsibility to both identify and manage risk, we cannot be expected to try and eliminate every single conceivable risk, however low its possibility might be.

Five Risk Management Strategies

There are a number of ways that potential risk management strategies can be categorised, though most models generally consist of between four and six different approaches. Here are five of the most widely accepted options. As you work through the study course, you will recognise these as coming up time and again within different security management contexts.

Avoid

This is done by acknowledging the risk, and changing your own activities in order to avoid the possibility of an incident occurring. Examples might include not moving into new markets in the example above, banning the use of personal computers in order to minimise the possibility of an electronic virus contaminating the company computer system, or keeping visitors to a production facility restricted to certain areas, whether to avoid industrial espionage or potential accidents.

Reduce

This is done by introducing protocols to minimise the possibility of an unwanted event happening, and to minimise the impact of any unwanted event that does happen. For example, if a company had lone workers who were visiting outside sites, and had identified that as a potential risk, requiring them to log their movements ahead of time with the HR or security department, and then calling in both before and after the visit would reduce the likelihood of something happening during those visits, and would limit the potential harm if something did happen (by allowing the HR or security team to become aware of the situation at the earliest possible moment). Similarly, introducing a ‘Meet & Greet’ process at the front gate reduces the risk of potentially unwanted visitors gaining access to a building.

Share

Many of the risk management strategies that have been accepted within the wider security management framework originally started in Supply Chain Management. It is a feature of SCM that each player is dependent on the link before them in the chain, so that the final ‘customer’ who is waiting delivery of the vital piece of stock is relatively powerless to control that process. The concept of sharing the risk is actually more concerned with sharing potential loss. Under this system, each person would face financial penalties if they did not deliver according to agreed terms. Within a wider security management context, sharing risk can be seen as a way of minimising potential liabilities.

Transfer

By transferring risk, you are in effect outsourcing the responsibility for the management of the risk, and any possible consequences. The retention of a specialist crisis management agency to handle crisis situations overseas is an example of sharing the potential liability for emergency evacuations, in a situation where it would be irresponsible to ignore the potential risk, but unfeasible to manage it in-house. Another example would be the decision as to whether to use a car-leasing company for the company fleet, or to own the cars outright. By using a fleet-hire system, the management of the risks – breakdowns, accidents, servicing, etc – is transferred to the leasing company. One advantage of this system is that there is a clearly defined cost to this particular option – the fee you pay to the agency for the service that they provide.

Retain

There are two reasons for retaining risk. One is because the potential likelihood or potential impact is so low as be deemed acceptable – the ‘We will deal with it if it happens’ approach. This is actually a very effective means of dealing with low-level risks, as long as the potential consequences of such risks are well understood, and there are clear protocols in place for dealing with them. For example, if in the example above the company decides to own their own cars rather than lease them, then the risks associated with that decision would be accepted as part of the greater risk management process, but there would also be clearly defined protocols in place for when those situations did occur.

The other reason for retaining risk is if there is no feasible way of managing it though any of the other strategies listed. For example, the risk of an executive being kidnapped is one that would need to be managed if they were working in Somalia or Sudan, where such risks are a realistic part of operating in that region, but would not necessarily be part of the risk management strategy in New York or Zurich. It may be decided that the low likelihood of such an incident occurring there outweighs the prohibitive cost of insuring against such a situation.

Summary

Modern security management has grown beyond traditional concepts of merely protecting property, services and personnel. The range of present-day risks is creating challenges that require a fully integrated and professional approach to security management that is on par with every other aspect of an organisation’s operation management. The modern security manager needs to have a strong understanding of the underlying principles that create the foundation for effective security management, and this programme will introduce those principles in a structured way over coming modules.

Main Points

  • Security Management is always a balance between Freedom and Security
  • Appropriate levels of security can only be discussed in terms of the Perceived Risk / Threat
  • There is no such thing as total elimination of Risk, the best we can aim for is ‘As Low As Reasonably Possible’
  • Major RM strategies include Avoid, Reduce, Share, Transfer, Retain
management solutions

DTR010 The Three Stages of Risk Management

This module will take you through The Three Stages of Risk Management.

  1. Introduction
  2. Stage 1: Risk Assessment
  3. Stage 2: Risk Control
  4. Stage 3: Contingency Planning
  5. Summary

The information in this document is part of the Deltar
‘Level 4 Management Award in Advanced Risk and Crisis Management’

Introduction

For any security manager, whatever their role and whatever the size of operation that they are responsible for, there are three fundamental issues that they will be dealing with, and it is likely that the vast majority of their daily work can be clearly classified as belonging in one of those three categories.

The first issue is, ‘What are the problems that I need to deal with?’. The second issue is, ‘What should I do about it?’, and the third question is, ‘What do I do if something goes wrong?’. To put this into more technical terms, we are talking about Risk Assessment, Risk Control and finally Contingency Planning. This module introduces these three basic concepts, and shows how they act as the foundation for all security management operations.

Stage 1: Risk Assessment

The purpose of the Risk Assessment is to take all of the thousands of possible or potential risks that might occur, and to give them some kind of comparative value. This will allow us to decide which of them is more serious, and which need to be actively managed. The truth is, that if we take any simple situation – walking from our home to the train station, or delivering a package from your warehouse to a client, for example – there are literally hundreds of possible scenarios that could be considered as risks, from the road being closed or the tube being disrupted, to a twisted ankle or being mugged, and on to a major terrorist attack.

As an example, a risk assessment carried out in a factory might identify realistic possible threats such as workers stealing goods; an electrical breakdown that would stop the production line; a hole in the fence; a phoned-in bomb threat; suspicious activity outside the main gate; a major terrorist attack somewhere nearby, but which would lead to the police putting a cordon around our factory so that no-one could get in, or a breakdown in the access control system.

This is the first stage of a Risk Assessment, in that we have Identified Potential Threats. However, that is only the first part of the process, because we then need a way of putting them into some sort of order.

The accepted way of doing this is to create a Risk Matrix, based on two measures: Likelihood (the likelihood of an event occurring) and Impact (the disruption that event would have on our operations if it did occur). Both of these measures can range from Low (unlikely, low impact) to High (very likely, high impact).

By using this system, we can give different threats different values based on diffeent combinations of Likelihood and Impact. These can be broken down into five sections:

The Risk Matrix has been divided into five distinct Risk Zones, based on the Likelihood / Impact values. Each of these areas would identify a different class of problems, which would require different forms of solutions.

Stage 2: Risk Control

The purpose of Risk Control is to minimise the likelihood of any identified unwanted event occuring, and minimise the impact of any unwanted event that does occur.

Once we have identified the risks and given them a Comparative Risk Value, we can then identify those risks that can be most easily managed through our security systems. For example, if we have identified that the lack of access control means that unauthorised people are walking around our premises, the introduction of a Reception Desk and / or an entry-phone system could be one way of solving that problem.

In order to ensure that the most effective Risk Control measures are put in place, each identified threat should lead to the introduction of a specific Security Protocol / Procedure.

For example, if you are working in a situation where the possibility of a parcel or letter bomb is considered greater than normal, this would be identified during the risk assessment process. As part of your risk control measures, you would then develop specific security protocols to maximise the likelihood of identifying a letter-bomb, and to minimise the effect if any letter bomb that might be sent. This might involve screening all incoming mail at a separate location away from the main offices. You might also have ensured that all mail-room and reception staff had undergone specific training to teach them how to identify suspicious packages and what to do if they were found. (Reception staff would also ned to undergo the training in case someone hand-delivered a suspicious package, either themselves or using one of the major logistical companies).

If a suspicious package was found, you could then isolate the area whilst a specialist police team was called. As this was identified as a high-likelihood potential threat during your Risk Assessment , you should have developed good relationships with the police units, who would be aware of the threat and may well have taken part in joint-exercises with your staff to respond to a suspect package. All of these actions would be developed in response to the initial identification of a high-impact threat.

There have been a number of examples of letter bombs in the UK, and a company might be targeted because it is working in the pharmaceutical industry, or it may be associated with political or national issues that increase the likelihood of attack. In 2007, a single person sent seven letter bombs in the UK to companies associated with DNA testing and various traffic organisations. The Animal Liberation Front have also used letter bombs, as have Arabic organisations targeting both Jewish and Israeli targets, as well as Arab-language newspapers in the UK.

The first two stages of any risk management programme, namely Risk Assessment and Risk Control, are designed to prevent an incident occuring. The third stage, Contingency Planning, prepares you to react and respond as effectively as possible when something does happen. In some American risk management models, the difference between the proactive Risk Assessment and Risk Control stages, and the reactive Contingency Planning stage is described as ’Left of Bang’ and ‘Right of Bang’.

Stage 3: Contingency Planning

The purpose of Contingency Planning is to allow the security team to regain control of the situation, and return to to normal operational status, as quickly and effectively as possible.

One an incident has occurred, it is clear that it will have a negative impact on the normal running of the operation, whether it is someone forgetting the key to the front gate, disruption of your normal supply chain – or a water-pipe bursting in the office above, and flooding your whole control room. This is exactly what happened at the main police control room just before the London Olympics….

Some of the issues involved in responding to a ‘Right of Bang’ situation will be covered in more detail in the Crisis Management module, but it is worthwhile noting that when something does go wrong, your response will almost certainly consist of a mixture of pre-planned options and responses that you create ‘on the hoof’. As the nature of the problem becomes clearer, and you gather more information, the effectiveness of the pre-incident preparation will start to kick in.

Effective crisis management is based on the ability to manage the transfer of information around a number of different stake-holders, make decisions under pressure, deploy teams and then receive information from them once they have assessed the situation for themselves.There is also the need to deal with Secondary Consequences, that is, the knock-on effects from the initial problem that will in themselves become problems for your incident management team.

The ability to respond effectively to an unexpected event is, in many ways, the ultimate test of a security manager’s effectiveness.

Summary

The role of the Risk Management procedure is to give the security manager the tools to create viable and realistic risk management programmes capable of responding to the thousands of potential incidents that could possibly occur. The truth is that the vast majority of a security manager’s time is taken up dealing with the same few situations that occur on a recurring (and often daily) basis. An effective security management programme should be able to identify the predictable normal incidents that can be dealt with using Standard Operating Procedures, those that need a higher level of management input and decision-making, and those that can be classified as crisis and which could potentially impact significantly on the wider organisation and its activities.

  • Risk Management has three component parts: Risk Assessment, Risk Control, Contingency Planning
  • Risk Value is based on Likelihood and Impact
  • The Risk Assessment identifies possible Risks, and gives them a Risk Value
  • Risk Control consists of Protocols introduced to manage the risks identified in the Risk Assessment
  • Contingency Planning is concerned with the Reponse Options that would be triggered if an unwanted event did occur
  • Contingency Planning is also concerned with Secondary Effects that can impact on the organisation as a result of the unwanted incident