Why Create a Crisis Management Plan?


Published on

  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Why Create a Crisis Management Plan?

  1. 1. Why Create a Crisis Management Plan? NAFCU Technology and Security Conference Presented by: Tom Abruzzo, TAMP Systems February 28, 2008
  2. 2. Agenda What is a Crisis What is the Best Way to Manage a Crisis Why Prepare for a Crisis What’s the “Greatest” Crisis Management Plan Conducting a Risk/Threath Analysis for a crisis plan Conducting a Business Impact Analysis for a crisis plan Crisis Comunications Crisis Management Plan Development Life Cycle Integrating your CMP with your BCP Ingredients for your CMP and BCP
  3. 3. What is a Crisis? A major, unpredictable event that threatens to harm an organization and its stakeholders A time or state of affairs requiring prompt or decisive action Three ingredients are common to the definition of crisis: a threat to the organization and its reputation, the element of surprise, and a short decision time. What’s a Disaster? Any event that causes inaccessibility or inoperability to your facility (including your technology & business operations) and possibly permanently…
  4. 4. What is Crisis Management? A systematic method to manage the migation of a crisis event and avoid its esclation Organizing the resources to develop a crisis management plan before the onset of a crisis In the face of an actual crisis, management includes: identifying the real nature of the crisis, intervening to minimize damage from the crisis, conveying a sense of confidence and control to deal with the crisis, and implementing actions to recover from the crisis. In summary, Crisis Management consists of the skills and techniques required to assess, understand, and cope with any crisis situation, especially from the moment it first occurs to the point that recovery procedures start.
  5. 5. What is a Crisis Management Plan? A preparation document that describes what you would do in response to a crisis. The CMP needs to address: What you would tell your members, vendors, employees and the news media How to continue/recover your credit union’s operations after the crisis… The CMP needs to contain: Planned methods to respond to both the reality and perception of a crisis Pre-established conditions to define what scenarios constitute a crisis and should consequently trigger the necessary response mechanisms Pre-meditated ways to communicate response actions to the crisis The primary “Purpose” and “Goal” of a CMP is: Seamless continuation of your credit union's business operations
  6. 6. Why create a Crisis Management Plan? Crisis events are unpredictable - But, they must not be unexpected A crisis event is generally a surprise that forces a short decision time, and therefore planning is vital Credit unions have a responsibilities to their employees, inventors, business partners and members Protects reputation, member confidence, market share and the long-term health of the organization Fulfills regulatory requirements: Federal Financial Institutions Examination Council (FFIEC) National Credit Union Administration (NCUA) National Association of State Credit Union Supervisors (NASCUS) External Auditors In times of great stress or a crisis, we revert back to what we know and, more importantly, how we have been trained and conditioned to respond It follows that if you want your company to respond well to a crisis, your employees need a plan, and a level of knowledge and training appropriate to the tasks they will face Preparation is the difference between going down and going out Failure in a Crisis is not an option
  7. 7. Additional Reasons for Being Prepared Gives you a competitive advantage Retains business Attracts new business Assures financial and operational stability Sets an example for your members Demonstrates enhanced level of sophistication Assures that you deliver on your promises Provides opportunity for post-crisis growth
  8. 8. Plans for Business Continuity Management Plan Name Notes Disaster Recovery IT Recovery Only Plan (DRP) Business Continuity Includes DRP and Plan (BCP) CMP Crisis Management Beginning of a BCP Plan (CMP)
  9. 9. Most Common Type of Plan Your Up-to-Date Resume
  10. 10. The Greatest Crisis Management Plan What is he carrying?
  11. 11. The Greatest Crisis Management Plan This bag is called the Nuclear Football It’s our country’s Mobile Emergency Command Center The President of the United States uses this when he is away from a fixed command center such as the White House Situation Room History: President Dwight D. Eisenhower’s brainchild - (President of the USA from 1953-1961)
  12. 12. Do we need a Risk/Threath Analysis for Crisis Planning? Yes - Need to identify vulnerabilities Why? – Helps us to determine the most probable incident scenarios that can cause a crisis.
  13. 13. Categories of Incidents/Crises? More than 220 Incidents can cause a Crisis or a Disaster Categories are: Environmental Human Natural Technological
  14. 14. “Environmental” crises that can affect business operations Fire (office) Flood (office) Gas Leakage Hazardous Material Spill Pollution (water and/or air systems) Power Outage
  15. 15. “Human” crises that can affect business operations Berserk/Disgruntled Employee Breach of Confidential Info Embezzlement or Theft Human Error Terrorism
  16. 16. “Natural” crises that can affect business operations Earthquake Severe Storm Flood Tornado Heat Wave Tsunami Hurricane Volcano Landslide Water Contamination
  17. 17. “Technological” crises that can affect business operations Equipment Failure Hacker Attack Network Outage Software Virus
  18. 18. Do we need a BIA for Crisis Planning? Yes – Need to Qualify/Quantify the impacts of a disaster on the business or operations Why? – Helps us determine how much we should spend on crisis management planning.
  19. 19. Sample Business Impact Costs Business Impact Est. Cost. Business Opportunities $30,000,000 Competitive Edge $20,500,000 Customers $10,000,000 Customer Confidence $50,000,000 Market Share $10,000,000 Total $120,500,000
  20. 20. Cost Justification for Crisis/Disaster Planning Cost of $20,000,000 The cost of a crisis/disaster (inaccessibility Outage per to your facility and/or inoperability of your Day technology). Length of $100,000,000 The time it would take you to recover from Outage w/o a crisis/disaster without a plan would be 5 Preparation days. (5 Days) Length of $20,000,000 Having a Plan will allow you to recover from Outage a crisis/disaster in 1 day rather than 5 days. w/Preparation (1 Day) Savings $80,000,000 Result: Amount you would save. However, we cannot assume that you will definitely experience a crisis/disaster. Therefore, we must determine the odds of having a crisis/disaster.
  21. 21. Cost Justification for Disaster Planning Odds of 4.30% Source: Survey of the notable hot site Outage 1 in vendors. They were asked the number of 23 declared disasters they have had versus the number of contracts they have. Surprisingly, 4.3% of companies with hot site contracts have declared a disaster. And, when we look at this statistic a little closer, we realize that the 4.3% is a low number because it does not account for the companies that have experienced a disaster but did not have a hot site contract.
  22. 22. Cost Justification for Disaster Planning Other $120,500,000 Costs for loss of: (a) business Business opportunities, (b) competitive edge, (c) Impact Costs customers, (d) customer confidence, and (e) market share. Justifiable $123,944,000 Calculated at 4.3% of the Savings, plus Expenditure other business impact costs. on BCP
  23. 23. What’s Your Reputation Worth? Failure to meet stakeholder’s (shareholders, members, employees, the public, business partners, government, etc.) reasonable expectations of your performance and behavior It’s easier to repair or replace your physical assets than to maintain your reputation Business continuity and reputation risk are top of the list of what risk managers see as the most important threats to their companies A previous CEO of Coca-Cola wrote: “If I lost all of my factories and trucks but kept the name Coca-Cola, I could rebuild my business. If I lost my name, the business would collapse.” It takes a long time to build a good reputation, but it can be destroyed very quickly Rebuilding a seriously damaged reputation is a very slow and up-hill process In any business, reputation is KING
  24. 24. Proactive Crisis Management Activities Forecast or Predict potential Crises Plan Ahead on how to deal with them Examples of “What to do if”: your computer system completely fails bad weather is predicted an event causes one of your facilities to become inaccessible for a long period of time
  25. 25. Alert Levels Level 1 Normal Times Level 2 Crisis Watch Level 3 Crisis Warning Level 4 Crisis Occurred
  26. 26. Crisis Communications Develop a Crisis Communications Policy and Plan, including: a general crisis response statement the order in which to convey information topics to cover Develop a Crisis Communication Team (CCT), include representation from: IT, Legal, Insurance, Security, Compliance, etc. Assign one person to be the spokesperson, i.e., the Crisis Communications Manager (CCM) Assign an alternate spokesperson / CCM Communicate “accurate” information to employees, the media and the public as soon as possible
  27. 27. Crisis Communications Take charge quickly: understand the circumstances define the problem evaluate options move decisively eliminate the root cause of trouble preempt a recurrence fix the problem Get the facts out quickly and demonstrate your cooperation with outside sources Shape the way your message is interpreted by employees, the media and the public
  28. 28. Crisis Communications Remember, a crisis situation will be of interest to many key public interests, including: Management and Employees and Families News media Site neighbors Community leaders Elected officials Government agencies Customers, suppliers, vendors Financial community Stockholders
  29. 29. Crisis Communications Communications during a crisis must be calm, organized and factual Establish a predetermined crisis management center, i.e., the EOC Establish telephone-answering procedures for directing media, emergency and other calls Establish an internal system for contacting company employees Maintain telephone and mailing lists of key media contacts If necessary, highlight your successes, i.e., your safety record Act FAST - The media will mobilize quickly - you should too Notify security and local fire and police authorities (if the situation warrants) Be certain that employees know who the authorized spokesperson is, so that they may refer inquiries
  30. 30. Crisis Communications Do not speculate Information involving employee injuries or casualties must be provided to family members or next of kin prior to notification the media Estimates involving the extent of property damage, loss or loss of life should be given to the media only when estimates have been properly substantiated Prepare a written press statement, if necessary Make the media aware that you want to be helpful and cooperative in meeting their needs Schedule additional updates on the crisis situation for employees and for the press
  31. 31. Do’s and Don’ts When Dealing With the Media Do’s: Offer Sympathy. If the incident caused injury or death, be sure to offer sincere sympathy first. Talk. Saying little is better than saying nothing. Explaining why you can’t talk is better than stonewalling. If you want your side of the story told, you must tell it. If you don’t, reporters will get a version elsewhere. Tell the truth. The truth is the facts as you know them. If you don’t know, or only have an opinion, reserve answering till more facts are known. You don’t need to volunteer information that hasn’t been asked for, unless it is appropriate to the situation.
  32. 32. Do’s and Don’ts When Dealing With the Media Do’s: Respond quickly. If you hesitate, the wrong story may be told and that is tough to erase. Emphasize the positive. Always communicate your corporate message. Emphasize the good safety measures taken, the minimal damage because of good teamwork, and what the company is doing to minimize the effect of the incident. Make sure the reporters know who the Spokesperson is. The corporate Spokesperson should be the only one authorized to disseminate information to the public. Follow up. Issue a written statement and/or schedule another session with the media.
  33. 33. Do’s and Don’ts When Dealing With the Media Don’t: Say anything off-the-record. There is no such thing when dealing with the media. If you don’t want it used, don’t say it. Say “No Comment.” It implies guilt. If you don’t know an answer to a question, tell the reporter you don’t know and will try to find out. If the question may lead to an embarrassing answer, give as much information as you can in as positive light as possible. Explain how you are planning to make things right. Get into liability issues. Do not talk about who is responsible, do not make any accusations, and do not give out company or individual names. Whatever you say may become part of a legal issue, so be as general as possible.
  34. 34. Do’s and Don’ts When Dealing With the Media Don’t: Be trapped into predicting the future. If the situation is complex and will take days to determine the full extent of the damage, tell reporters that the company will resume full work on the project as soon as possible. Fall for the “stall” technique. A reporter’s trick is to leave the microphone in your face hoping for you to say more. This is an uncomfortable moment, even for pros, but if you are silent, you won’t slip. Let a reporter reinterpret what you’ve said in a subsequent question. Correct the question before you attempt to answer. Wear sunglasses or dark glasses when being interviewed. It may look like you are hiding something.
  35. 35. Statements to Buy Time “We are aware of the situation and are investigating the details. We will keep you informed as the situation progresses.” “The cause is not known at this time. The investigation is continuing.” “Due to the rush in dealing with this incident, information is not yet complete.” “Our management team cannot be reached because they are handling the emergency. We will notify you as soon as details are known. “We do not enough details in the extent of the incident at this time, but we will report back in several hours.”
  36. 36. BCM & CMP Process Life Cycle Maintenance Foundation Training & BCM/CMP BCM/CMP Exercise Process Process Identification Life Cycle Life Cycle Plan Decision Development
  37. 37. BCP/CPM Development Process Major Plan Training & Foundation Identification Decision Maintenance Steps Development Exercise • Obtain • Conduct the • Determine the • Assemble the • Educate plan • Identify Management Business gaps between information owners on its organizational Support Impact Analysis existing plans gathered and use & what to changes that (BIA) and required decisions that do in crisis, will require plan • Identify the A CMT Planning • Conduct the CMP have been made disaster and recovery updates Team and initial Risk/Threat • Analyze and • Establish a C planning Assessment choose • Enhance your situations maintenance T information • Identify existing response BCP with the CMP data • Develop an program strategies for Exercise • Develop Project BCP and DRP • Use S/W or a I Plan data pre-determined • Enhance your Scenario method to crisis scenarios O • Issue Project • Identify and BCP Wallet • Develop manage & keep • Create the CMT Card with the Exercise Plan the plans up-to- Initiation Letter collect the N Continuity & and designate CMP data and Tools date • Conduct Project the primary and S Kickoff Meeting Recovery alternate • Publish the • Conduct • Provide letters Resource Data enhanced Exercise on enhanced corporate BCP/CMP and plans for spokespersons • Identify Wallet Card employees & Lessons partners/ Learned vendors DELIVERABLES 1. Project 1. BIA 1. Gap Analysis 1. Enhanced 1. Trained Plan 1. Maintenance Initiation Letter BCP/CMP Participants & Program 2. RTA 2. Recommended Owners 2. S/W – Keeps 2. Project Kickoff 3. Collected Recovery 2. Published 2. Exercise Plans up-to- Meeting Resource Data Strategies BCP/CMP Scenario, Plan date 3. Project Plan 3. Recovery Manuel and & Tools 3. Employee & Teams & Tasks Wallet Card 3. Exercise/Test Partner Letters
  38. 38. Ingredients for a BCP and CMP The Plan Document will consist of: Introduction Expand Policy Statement to include Crisis Management Disaster Declaration Procedures Notification Procedures Add Crisis Communications Procedures / Scripts Recovery Teams, Functions & Tasks Crisis Management Team – Include, CEO, CFO, CTO/IT, HR, Legal, Compliance, Security, Facilities, Insurance, etc. Emergency Procedures Basic Procedures for Dealing with the Most Likely Crisis Scenarios Mission Critical Operating Procedures Recovery and Restoration Information & Inventories Media Contacts Appendices Press Information Log Sheet Safety History and Summary of Past Crises
  39. 39. Don’t wait for a crisis or disaster to happen. Plan First!
  40. 40. Questions & Answers Thank You www.tampsystems.com 516-623-2038
  41. 41. “When it comes to planning, we know what works.” www.tampsystems.com