Interorganizational Management

The company should, as part of the Business Continuity Management (BCM) Plan, determine what resources can be leveraged or outsourced to support incident and crisis management. Even major international companies will not have the expertise or past performance experience to manage every aspect of a crisis situation, and often governments or specialist organizations can bring expertise or considerable weight to bear that commercial organizations might not be able to match. Where possible and appropriate, the crisis management organization should seek to include government support and outsourced expertise as part of its crisis team composition. By predefining such supporting elements, the company might enhance contingency planning measures and make incident and crisis response measures more effective (i.e., exponentially increasing the response capabilities of the company), as well as actually reducing the costs required for contingency planning and crisis management.

The company should define with any external interfaces the preferences and requirements for communication traffic during an emergency situation. This also applies to contracted security vendor companies, as often the company project or program managers feel that their corporate offices are too involved in the tactical event and should not be directing response measures, or that they themselves have not been provided sufficient time to understand the scope and impacts of the problems before executive management begin asking questions and demanding or directing action. Conflicts within the company's own organization are common during crisis events; and subcontracted vendors supporting with such issues require clear guidelines and policies, as well as diplomacy and a balanced approach to multilevel requirements in order to understand from whom they should take direction, and how they should support the company's crisis response. Tiering the crisis management structure often helps companies understand the different focus areas as well as the spectrum of levels involved within a crisis event, as illustrated in Exhibit 1.

Exhibit 1: Interorganizational Management

The company, supporting agencies, and subcontracted security or crisis response vendors should collaborate, where possible, to determine the structure of the crisis response levels, functions, and responsibilities in order to align structures, policies, and procedures to best match crisis requirements. The event itself will also significantly influence the manner in which such response and management teams are established and how they operate. An example of a typical event chain of management functions follows:

§  First Responder.: The nonspecialist person or manager who might be first on the scene and will initiate the crisis response, as well as start information flows and control measures.

§  Source Incident Response Team (IRT).: A trained local incident control team or manager who might be first on site, or in close proximity to start to bring control to the crisis event.

§  Project IRT.: An incident response trained manager or team who will take from local responders the control over gathering information and controlling the tactical aspects of the crisis event.

§  Program Crisis Response Team (CRT).: A trained senior incident manager who might manage multiple aspects of the crisis event and mobilize local outsourced support, bridging the gap between incident management and crisis management.

§  Country CRT.: The first layer or true crisis management element that will support controlling the actual event in strategic terms, while also undertaking peripheral crisis management functions and mobilizing in‐country resources and outsourced support. They will often bridge the field and corporate levels.

§  Corporate CRT.: Senior‐level crisis managers who will deal with strategic needs and issues for the company as a whole. They will sanction procurements and deal with public relations issues, as well as senior government agencies and special support groups.

While some organizations may have fewer levels within their crisis management structure, the three principle levels of the person at the scene, those dealing with the physical aspects of an emergency response, and the strategic crisis management element are nearly always found within a crisis event. The right balance of ownership, authorities, and operating parameters needs to be struck between the roles of the corporate and country office and those of the incident management teams. The key issues companies should consider are:

§  The type, scope, and severity of the incident.

§  How undertaking the role will undermine primary work functions for incident and crisis managers.

§  The liability implications for those appointed to the tasks, are they the best choice to protect the company.

§  Effectively managing the threat at the local, national, and corporate levels—focusing holistically on the implications of an event.

§  Implementing standard operating procedures to reduce the risk probabilities.

§  Implementing incident management plans (IMPs) to reduce the impacts of risk events and bring control to the situation.

§  Implementing event‐specific crisis response plans to augment and transition from incident management responses to full scale crisis management.

§  Availability and experience of local management to handle an incident, determining early whether additional support is needed

§  Identifying other supporting agencies that might be leveraged to assist with crisis management.

§  Potential of the incident to have an effect on the company beyond the impacts of the actual event.

Companies will organize their crisis response teams based on a range of factors, including corporate structures, risk policies and management approaches, risk tolerance levels, geographic and industry influences, the ability and quality of government and other external support, as well as business partner or subcontracted security vendor participation. Each business activity may also bring unique requirements to the composition of a crisis team, either internally or in terms of outsourced support.

Incident Management Plan Risk Assessments

While typically a function of the crisis response team (CRT), it can in some instances be useful for the incident response team (IRT) to indicate how a crisis event may impact the company from a grassroots perspective. This will feed immediate concerns and information from the source of the event, to supplement the data response materials forwarded during the initial stages of a crisis event. A basic IMP risk assessment of how the event may affect the company can prove useful to support risk mitigation at all levels at the early stages of a crisis. Such assessments may include:

Immediate Concerns

• Is there an immediate risk to personnel?

• Is there an immediate risk to the company's reputation?

• What risks are presented to resources or facilities?

• Is there a risk to third parties?

• How long before any of these risks occur—how much time is there?

Situation

• What is the cause or motive of the risk event?

• Is it likely to get worse?

• Are other (different) threats likely to occur?

• What happened, where, and when?

• What effects are to be expected in the best case, likely case, and worst case?

Complicating Factors

• What legal implications are there?

• What media interest has been shown?

• What environmental factors will hamper the resolution of the problem?

The IMP risk assessment should not be confused with the responsibilities of the crisis response team and specialist responders, who should conduct more comprehensive risk assessments and evaluations during and following the crisis. The IMP risk assessment is a tool designed to provide a local perspective of the problems and impacts likely to occur that might fall outside of normal reporting formats within the IMP. While not a component of the IMP, the company should also link risk assessments to any recovery plans so that when the situation has sufficiently stabilized the company can begin to plan the resumption of normal operations.

Incident Management Plan Alert States and Trigger Response Plans

It is important for incident managers to be provided with simple guidance as to how to sensibly and effectively escalate a risk management posture to reflect threat indicators, or increasing levels of threat. It is also important to define the difference between a problem and a crisis, so that managers do not ignore a real crisis event, or conversely do not mobilize resources that far exceed a requirement, as this will quickly fatigue the crisis management responses. Frequently the determination between a problem and a crisis is a subjective one; however, some simple guidelines will assist those less experienced in identifying and managing crisis events.

The Business Continuity Management Plan will typically contain detailed alert states and trigger plans to meet a range of possible crisis scenarios; however, a simplified version can be useful within the IMP itself. Threat levels are often the key indicators of alert states, but threat levels can be extremely volatile and do not necessarily reflect actual risks to personnel, facilities, resources, or activities. Assessing alert states in terms of the threat and vulnerability will provide a more tailored and local alert state. This should be a continuous process of assessing the risk environment in which the company is operating, at local, regional, and national levels—rather than being purely associated with IMP requirements. Sound judgment forms the basis of a decision; however, the development of agreed alert states provides a common vocabulary, context, and structure for assessing and reacting to the threats that confront the company's people or project. In essence, these alert states provide a simple and effective way of conveying the severity of a situation to local, national, and corporate management in order to facilitate their decision‐making process, as well as evidence and justify a response need. They also bring important consistency to the risk management approach. Alert states can also be used to trigger internal risk and security measures, increasing awareness, initiating contingency measures, and mobilizing resources to be positioned to enable the company to respond at appropriate levels to a particular need.

Alert states can be influenced by internal assessments, or may be influenced or guided by government, military, or civil assessments. There may be differences in what a government considers just reason to evacuate, and what commercial organizations see as the final trigger for a withdrawal. Businesses will bear the brunt of financial or project losses, whereas diplomatic warnings are more advisory and often not audience specific. Alert state risk assessments can also be tied directly to actions required and policies implemented. This will assist in a semi‐automated process following the risk assessment. Alert states may vary from negligible to low, medium, high, or extreme. In each instance, an explanation of what drives the classification should be provided to avoid personal perspective or ambiguity, as well as what actions are required in association with alert states to reflect a change to risk levels. Tables may be complex or simple, depending on the complexity of the company requirement—although the IMP version should be as clear and focused as possible to reflect the user audience's knowledge, capabilities, and experiences. Exhibit 2.16 illustrates a simple table that might be used to guide first responders and incident managers through a simple and directed decision‐making process connected to certain levels of risk probability. Numerical alerts can be used to guide managers to where they need to start taking action; alternatively, color coding is an option to making interpretation of risk levels easier for users.

Exhibit 1: Incident Management Plan Alert State Trigger Plan

Generic and macro‐level trigger natures are illustrated in Exhibit 1; however, more specific triggers or trip wires may be defined by companies so as to provide granular‐level guidance to staff. Organizations such as the U.S. Overseas Security Advisory Council (OSAC) advocate trip‐wire planning for commercial organizations operating abroad. The OSAC advocates determining points at which certain risks—principally natural disasters, civil disorder and political unrest, terrorism, health and environmental threats, infrastructure weakness, and other facility or employee concerns—mobilize an organization into predetermined response measures (OSAC, “Tripwire Approach to Emergency Planning,” May 11, 2008). Establishing trip wires or trigger points enables local managers, as well as corporate officers, to have clearly defined and unambiguous points at which decisions or actions are taken, whether they be major earthquakes, large‐scale riots, pandemic alerts, fuel shortages, or water contamination threats. These specific trigger points or trip wires can include:

• Demonstrations that indicate growing social unrest, whether peaceful or violent in nature, especially if aimed at foreign workers, facilities, or other associated company activities.

• The media, host nation government, religious groups or leadership, or militia leaders preaching or actively spreading inflammatory propaganda or directives that could adversely affect the company, its personnel, or its facilities.

• A rapidly diminishing ability to gain accurate and timely information from local government organizations, foreign missions, and media agencies on local or regional events that could present threats to the company.

• Increasing levels of opportunistic criminal activity, especially if directed at specific ethnic or religious groups, genders, or business activities, locations, or facilities.

• Focused attention by organized crime on the company and its employees, activities, or facilities, or unwanted attention toward associated or similar commercial groups.

• Rising levels of insurgent, terrorist, or activist targeting, especially if directed toward the company or toward associated or parallel groups.
• 
  
• Host nation, embassy, media, or other public announcements indicating an increase in specific threat types or pending crisis events.

• Sustained disruptions to basic infrastructure or utilities preventing the supply of clean water, gas, electricity, food, fuel, or other life‐support essentials.

• Reliable reports of an imminent natural disaster—hurricane, typhoon, tsunami, wildfire, volcanic eruption, or flooding.

• Reports of a pending or occurring industrial or environmental disaster that could present toxic or physical hazards to personnel, as well as contaminate facilities, food or water supplies, or critical materials.

• An outbreak of contagious diseases that the local government or responding agencies do not have the resources, expertise, or medicines to treat.

• Rapid economic decline brought about by sanctions, civil unrest, coups, assassinations, or the turnover in host nation leadership, which might lead to local authorities being unable to maintain law and order.

• Political instability and loss of governance resulting from the abrupt replacement, detention, or arrest of key government officials, military leaders, political opponents, religious leaders, or other prominent figures.

• Similar organizations increasing security profiles, ceasing operations, closing facilities, rapidly evacuating personnel, or demobilizing activities.

• Foreign embassies and aid agencies declaring heightened risk alerts or withdrawing their presence from the area, region, or nation.

• The inability, lack of resources, or unwillingness for local or national security and law enforcement agencies to provide adequate protection to foreign workers and the company's interests.

• Rising levels of corruption, extortion, and legal liability risks presented by corrupt political leadership, which could result in detentions or imprisonment.

• Rapidly declining transportation capacities for road, rail, air, or maritime facilities, which could adversely affect the ability of company employees to evacuate the country.

Each company, and indeed project, should provide definitions and responses that are appropriate to its unique requirements and operating environment. The risk assessment conducted during the contingency planning aspect of the Business Continuity Management Plan's development should define what postulated threats are posed against a company or particular activity, and thus what should be included within the risk type category. The guidelines should be considered as such, guidelines, with common sense playing a critical role in how managers respond.