The company should, as part of the Business Continuity Management (BCM) Plan, determine what resources can be leveraged or outsourced to support incident and crisis management. Even major international companies will not have the expertise or past performance experience to manage every aspect of a crisis situation, and often governments or specialist organizations can bring expertise or considerable weight to bear that commercial organizations might not be able to match. Where possible and appropriate, the crisis management organization should seek to include government support and outsourced expertise as part of its crisis team composition. By predefining such supporting elements, the company might enhance contingency planning measures and make incident and crisis response measures more effective (i.e., exponentially increasing the response capabilities of the company), as well as actually reducing the costs required for contingency planning and crisis management.
The company should define with any external interfaces the preferences and requirements for communication traffic during an emergency situation. This also applies to contracted security vendor companies, as often the company project or program managers feel that their corporate offices are too involved in the tactical event and should not be directing response measures, or that they themselves have not been provided sufficient time to understand the scope and impacts of the problems before executive management begin asking questions and demanding or directing action. Conflicts within the company's own organization are common during crisis events; and subcontracted vendors supporting with such issues require clear guidelines and policies, as well as diplomacy and a balanced approach to multilevel requirements in order to understand from whom they should take direction, and how they should support the company's crisis response. Tiering the crisis management structure often helps companies understand the different focus areas as well as the spectrum of levels involved within a crisis event, as illustrated in Exhibit 1.
Exhibit 1: Interorganizational Management
The company, supporting agencies, and subcontracted security or crisis response vendors should collaborate, where possible, to determine the structure of the crisis response levels, functions, and responsibilities in order to align structures, policies, and procedures to best match crisis requirements. The event itself will also significantly influence the manner in which such response and management teams are established and how they operate. An example of a typical event chain of management functions follows:
§ First Responder.: The nonspecialist person or manager who might be first on the scene and will initiate the crisis response, as well as start information flows and control measures.
§ Source Incident Response Team (IRT).: A trained local incident control team or manager who might be first on site, or in close proximity to start to bring control to the crisis event.
§ Project IRT.: An incident response trained manager or team who will take from local responders the control over gathering information and controlling the tactical aspects of the crisis event.
§ Program Crisis Response Team (CRT).: A trained senior incident manager who might manage multiple aspects of the crisis event and mobilize local outsourced support, bridging the gap between incident management and crisis management.
§ Country CRT.: The first layer or true crisis management element that will support controlling the actual event in strategic terms, while also undertaking peripheral crisis management functions and mobilizing in‐country resources and outsourced support. They will often bridge the field and corporate levels.
§ Corporate CRT.: Senior‐level crisis managers who will deal with strategic needs and issues for the company as a whole. They will sanction procurements and deal with public relations issues, as well as senior government agencies and special support groups.
While some organizations may have fewer levels within their crisis management structure, the three principle levels of the person at the scene, those dealing with the physical aspects of an emergency response, and the strategic crisis management element are nearly always found within a crisis event. The right balance of ownership, authorities, and operating parameters needs to be struck between the roles of the corporate and country office and those of the incident management teams. The key issues companies should consider are:
§ The type, scope, and severity of the incident.
§ How undertaking the role will undermine primary work functions for incident and crisis managers.
§ The liability implications for those appointed to the tasks, are they the best choice to protect the company.
§ Effectively managing the threat at the local, national, and corporate levels—focusing holistically on the implications of an event.
§ Implementing standard operating procedures to reduce the risk probabilities.
§ Implementing incident management plans (IMPs) to reduce the impacts of risk events and bring control to the situation.
§ Implementing event‐specific crisis response plans to augment and transition from incident management responses to full scale crisis management.
§ Availability and experience of local management to handle an incident, determining early whether additional support is needed
§ Identifying other supporting agencies that might be leveraged to assist with crisis management.
§ Potential of the incident to have an effect on the company beyond the impacts of the actual event.
Companies will organize their crisis response teams based on a range of factors, including corporate structures, risk policies and management approaches, risk tolerance levels, geographic and industry influences, the ability and quality of government and other external support, as well as business partner or subcontracted security vendor participation. Each business activity may also bring unique requirements to the composition of a crisis team, either internally or in terms of outsourced support.
