This page contains a Flash digital edition of a book.
Policy


Policies and procedures need to be robust, frequently tested, the results evaluated and changes implemented.


A headline policy might be: Crisis


Preparing for a


N


ew security challenges alongside a recession create interesting tensions.


Constraints are likely to persist, ‘green shoots’ notwithstanding. No organisation can face multifaceted security challenges without planning for a time when security fails, that is, a ‘crisis’. However, if reduced security spending lowers the threshold at which events cannot be controlled by business-as-usual security, then the organisation could be in ‘crisis mode’ more often than it expects.


Ideally, crisis planning is about events so unlikely that big expenditure on security measures to prevent them is unnecessary. Planning can then focus on process, information, communication, decision making, and continuity. However, if security is not applied routinely against areas of predictable risk, because of insufficient analysis or money, then a ‘predictable crisis’ could occur. Either way, crisis planning and exercising, even if only (or perhaps especially) at ‘table top’ level, are essential weapons in the fight to survive a crisis.


Definition of a Crisis


Definitions of a crisis vary, but the component parts might be:


a) An event threatening severe negative impact on operations, finances or reputation.


b) Causing serious harm to employees, communities or customers.


c) Generating adverse public or governmental scrutiny.


To help, we have two pending British Standards:


1. At the higher level is BS65000 (Organisational Resilience) with the first draft expected soon. The following is stolen from London First’s and CSSC’s recent announcement:


6 © CI TY S ECURI TY MAGAZ INE – WINT E R 2014


Circumstance Environment Health


Man-made Technical failure Process failure Example


Flood, earthquake, climate H7N9, H1N1, H5N1


Terrorism, espionage, cyber, insider activity, crime, fraud


Power outage, cable cuts, IT or comms failures


Compliance breach Interruption to: supply chain, manufacture process, cash-flow, staff availability


Although there is no definition yet, it will deal with: ‘capabilities’ such as anticipation and recovery; ‘activities’ such as horizon scanning and contingency planning; ‘attributes’ including decision making and organisational culture; and ‘principles’ focusing on core values, behaviours, leadership and managerial commitment.


2. At a second level is the draft BS11200 (Crisis Management: Guidance and Good Practice). It defines a crisis simply and effectively as an ‘abnormal and unstable situation threatening an organisation’s strategic objectives, reputation or viability’. A crisis is ‘not manageable within BCM procedures’, ‘extraordinary’, ‘unique’, ‘rare’, and ‘a surprise’.


These descriptions encapsulate the nature of a crisis and point to the approach needed to survive it. What follows is a guide on how to grapple with it.


Drivers Circumstances driving a crisis might include:


• Crisis Management (CM) protects our people, stakeholders, workplaces, IT, communications, supplies, and the continuity of our business, from major events that seriously threaten us.


• A crisis management plan (CMP) must be designed, communicated and tested by each division and subsidiary, in line with company crisis management and risk management doctrine.


• Our CMP exists in close partnership with our security plans and business continuity plans (BCP), and one cannot be invoked without understanding the others. Every member of the company is expected to know their own role in the CMP and how it fits with that of their department.


Crisis management structure


The diagram opposite shows a view of the ‘resilience cycle’ and where crisis management fits. (‘Disaster recovery’ is included as some companies use it for IT.)


Within the cycle, a company needs formal but flexible structures to manage crises. Depending on how the business is constituted, a corporate crisis team might provide strategic oversight, or directly manage a crisis affecting the future of the whole organisation; in the latter case the head of the company might personally manage the crisis.


CM teams at functional and regional levels would make decisions relevant to a business line or region, and interface with other affected parts of the business and individual country crisis teams. A country crisis could be handled locally with oversight at regional level. A crisis in a manufacturing plant might be handled by the business line at its own various levels, with oversight by the regional team.


Preparation for a crisis


Flexibility, however, does not mean ‘decide on the night’. Scenario based rehearsals of the various possibilities are crucial to success and survival. Reaching the stage where rehearsals and exercises add value needs a disciplined approach.


Note that an exercise can also be highly useful as a first step, where a company realises its plans are weak, or do not reflect recent mergers, acquisitions, or changed business lines and practices. It might also work when one part of the business (often IT, security, HR or business continuity) believes a shortfall exists, but needs to demonstrate the risks in order to convince wider management. If carefully, and honestly and objectively,


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36