Principles of Incident Response and
Disaster Recovery
Crisis Management and Human Factors
Principles of Incident Response and Disaster Recovery 2
Objectives
• Understand the role of crisis management in the typical organization
• Guide the creation of a plan preparing for crisis management
• Understand and deal with post-crisis trauma
• Work toward getting people back to work after a crisis
• Know the impact of the decisions regarding law enforcement involvement
Principles of Incident Response and Disaster Recovery 3
Objectives (continued)
• Manage a crisis communications process• Prepare for the ultimate crisis in an organization
through succession planning
Principles of Incident Response and Disaster Recovery 4
Introduction
• Reactions to a crisis are typically focused on technical issues and economic priorities
• The most critical assets – the people – are often overlooked
• People cannot be readily replaced
Principles of Incident Response and Disaster Recovery 5
Crisis Management in the Organization
• Crises are inevitable, whether the organization is prepared or not
• Crisis management brings its own terminology, and a host of myths
Principles of Incident Response and Disaster Recovery 6
Crisis Terms and Definitions
• Crisis: a significant business disruption that stimulates extensive news media coverage
• Crises are typically caused by:– Acts of nature (storms, earthquakes, volcanic activity,
etc.)– Mechanical problems (ruptured pipes, metal fatigue,
etc.)– Human errors (wrong valve opened,
miscommunications, etc.)– Management decisions and indecisions (ignoring a
problem, hiding a problem, etc.)
Principles of Incident Response and Disaster Recovery 7
Crisis Terms and Definitions (continued)
• Crises can be categorized into two types:– Sudden crisis– Smoldering crisis
• Sudden crisis: a disruption in the company’s business that: – Occurs without warning – Is likely to generate news coverage– May adversely impact employees, investors,
customers, suppliers, and other stakeholders
Principles of Incident Response and Disaster Recovery 8
Crisis Terms and Definitions (continued)
• A sudden crisis may be:– A business-related accident resulting in significant
property damage that disrupts normal business operations
– Death or serious illness or injury of management, employees, contractors, customers, visitors, etc., as the result of a business-related accident
– Sudden death or incapacitation of a key executive– Discharge of hazardous chemicals or other materials
into the environment– Accidents that cause disruption of telephone or utility
service
Principles of Incident Response and Disaster Recovery 9
Crisis Terms and Definitions (continued)
• A sudden crisis may be (continued):– Significant reduction in utilities or vital services
needed to conduct business– Any natural disaster that disrupts operations or
endangers employees– Unexpected job action or labor disruption– Workplace violence involving employees, family
members, or customers• Smoldering crisis: any serious business problem
not generally known within or without the company, which may generate negative news coverage if or when it goes public
Principles of Incident Response and Disaster Recovery 10
Crisis Terms and Definitions (continued)
• Examples of smoldering crises:– Sting operations by a news organization or
government agency– OHSA or EPA violations that could result in fines or
legal action– Customer allegations of overcharging or other
improper conduct– Investigation by a federal, state, or local government
agency– Action by a disgruntled employee such as serious
threats or whistle-blowing
Principles of Incident Response and Disaster Recovery 11
Crisis Terms and Definitions (continued)
• Examples of smoldering crises (continued):– Indications of significant legal, judicial, or regulatory
action against the business– Discovery of serious internal problems that will have
to be disclosed to employees, investors, customers, vendors, and/or government officials
• Crisis management (CM): those actions taken by an organization in response to a an emergency situation in an effort to minimize injury or loss of life
Principles of Incident Response and Disaster Recovery 12
Crisis Terms and Definitions (continued)
• Emergency response: all activities related to safely managing the immediate physical, health, and environmental impacts of an incident
• Crisis communications: the public relations aspect of crisis management, including both internal and external communications
• Humanitarian assistance: efforts designed to address the psychological and emotional impact on the workforce
Principles of Incident Response and Disaster Recovery 13
Crisis Misconceptions
• Myth #1: The majority of business crises are sudden crises– Fact: There are more smoldering crises than sudden
crises
• Myth #2: Crises are most commonly the result of employee mistakes or acts of nature– Fact: Crises resulting from management actions,
inactions, or decisions are more prevalent
Principles of Incident Response and Disaster Recovery 14
Preparing for Crisis Management
• Organizations must prepare for crisis management• Crises may be small and innocuous, or large and
catastrophic• The most effective executives have learned to deal
successfully with crises• Goal is to keep crises well managed and out of the
media when possible
Principles of Incident Response and Disaster Recovery 15
General Preparation Guidelines
• Preparation tips:– Prepare contingency plans in advance– Immediately and clearly announce internally that only
the crisis team members should speak about the crisis to the outside world
– Move quickly: the first hours after the crisis breaks are when the media will jump on it
– Use crisis management consultants– Give accurate and correct information; trying to
manipulate information will backfire– Consider both short-term and long-term effects when
making decisions about actions
Principles of Incident Response and Disaster Recovery 16
General Preparation Guidelines (continued)
• Excuses frequently offered by companies in crisis:– Denial: “It can’t happen to us.”– Deferral or low prioritization: “We’ve got more
important issues to handle.”– Ignorance: “Risk? What risk?”– Inattention to warning signs: “I didn’t see it coming.”– Ineffective or insufficient planning: “I thought we were
ready!”
Principles of Incident Response and Disaster Recovery 17
Organizing the Crisis Management Team
• Crisis management planning committee: – Group charged with analyzing vulnerabilities,
evaluating existing plans, and developing and implementing a comprehensive crisis management program
– Should include representatives of all appropriate departments
– May include an outside consultant
• Crisis management team: responsible for handling the response to an actual crisis situation
Principles of Incident Response and Disaster Recovery 18
Organizing the Crisis Management Team (continued)
• CM team:– May consist of only a few individuals– Usually relatively devoid of technical proficiency– Primary focus is the command and coordination of
human resources in an emergency• Crisis management focuses on the physical,
mental, and emotional health and well-being of the people in the organization
Principles of Incident Response and Disaster Recovery 19
Organizing the Crisis Management Team (continued)
• CM team members typically include:– Team leader: responsible for overseeing the actions
of the CM team; usually a senior HR executive– Communications coordinator: manages all
communications between CM team, management, employees, and the public, including media and government
– Emergency services coordinator: responsible for contacting and managing all interactions between the organization and any emergency services, including utilities
– Other members as needed
Principles of Incident Response and Disaster Recovery 20
Organizing the Crisis Management Team (continued)
• Head count: – Physical accountability of all personnel; essential in
determining the whereabouts of employees during an emergency
– Usually the responsibility of the first-line supervisor, with reporting to the next level of management
– Top of the chain of command aggregates the totals to ensure all employees are accounted for
• Crisis management planning team is responsible for developing the CM plan
Principles of Incident Response and Disaster Recovery 21
Organizing the Crisis Management Team (continued)
• Questions in preparation:– What kind of notification system do we have or need?
Automated or manual? How long does it take?– Is there an existing crisis management plan? How old
is it? When was it last used or tested?– What internal operations must be kept confidential to
prevent embarrassment or damage to the organization? How are we currently protecting that information?
– Is there an official spokesperson? Who is the alternate?
Principles of Incident Response and Disaster Recovery 22
Organizing the Crisis Management Team (continued)
• Questions in preparation (continued):– What information should be shared with the media?
With our employees?– What crises have we faced in the past? What crises
have other organizations in our region faced? Have we changed how we operate as a result of those crises?
• CM Planning team should also use the BIA and IR, DR, and BC scenarios with best-case, worst-case, and most likely outcomes to provide insight
Principles of Incident Response and Disaster Recovery 23
Crisis Management Critical Success Factors
• Critical success factors: those few things that must go well to ensure success for a manager or organization
• Crisis management critical success factors:– Leadership– Speed of response– A robust plan– Adequate resources– Funding– Caring and compassionate response– Excellent communications
Principles of Incident Response and Disaster Recovery 24
Crisis Management Critical Success Factors (continued)
• Leadership:– Provides purpose, direction, and motivation to others– Leaders need not be managers
• Important leadership skills:– Multitasking– Rational under pressure– Empathy– Quick, effective decision making– Delegation– Communications– Prioritization
Principles of Incident Response and Disaster Recovery 25
Crisis Management Critical Success Factors (continued)
• Golden hour: in medical terms, the first hour after an injury; if treated within this period, there is the highest probability of recovery
• Speed of response:– Handle as much as possible in the first hour to
ensure the highest probability of minimizing crisis impact
• A robust plan:– Plan is the heart of the CM response– Plan must be clearly defined, rehearsed, and
managed
Principles of Incident Response and Disaster Recovery 26
Crisis Management Critical Success Factors (continued)
• Adequate resources:– The right resources at the right place– Some critical resources include:
• Access to funds, especially cash• Communications management• Transportation to and/or away from the crisis area• Legal advice• Insurance advice and support• Moral and emotional support• Media management• Effective operations center
Principles of Incident Response and Disaster Recovery 27
Crisis Management Critical Success Factors (continued)
• Funding:– Don’t be cheap; spend what is needed when it is
needed– Cutting corners may lead to legal fees and punitive
damages later– Expenses may include:
• Employee assistance programs, including counseling• Travel expenses, including lodging• Employee overtime for hourly staff• Replacement of lost, damaged, or destroyed property
for employees• Compensation for those who were injured
Principles of Incident Response and Disaster Recovery 28
Crisis Management Critical Success Factors (continued)
• Caring and compassionate response:– At some point it has to be people concerned about
people– CM team and management must have good people
skills, be able to demonstrate they understand the personal issues their employees are facing
• Excellent communications:– Fear of the unknown is the worst fear of all– Keep employees, the community, and the media
informed of events and the organization’s efforts
Principles of Incident Response and Disaster Recovery 29
Crisis Management Critical Success Factors (continued)
• Communications items to consider in planning:– Have key personnel undergo media training– Know your stakeholders and keep them apprised– Tell it all, tell it fast, and tell the truth– Have information ready to distribute, either verbally or
in writing– Express pity, praise, and promise
Principles of Incident Response and Disaster Recovery 30
Developing the Crisis Management Plan
• Crisis management plan:– Developed by the CM planning team– Specifies the roles and responsibilities of individuals
during a crisis– Provides instruction to the CM team and to individual
employees– Can serve as both policy and plan
Principles of Incident Response and Disaster Recovery 31
Developing the Crisis Management Plan (continued)
• Typical CM plan has these sections (continued):– Purpose– Crisis management planning committee– Crisis types– Crisis management team structure– Responsibility and control– Implementation– Crisis management protocols– Crisis management plan priorities– Appendices
Principles of Incident Response and Disaster Recovery 32
Developing the Crisis Management Plan (continued)
• Purpose:– Overview of the purpose– Identifies the individuals to whom this plan applies
• Crisis management planning committee:– Identifies the CM planning committee– Distinguishes the planning committee from the
operating team– May also specify the frequency and location of the
planning committee meetings
Principles of Incident Response and Disaster Recovery 33
Developing the Crisis Management Plan (continued)
• Crisis types:– Groups crises into 3 or 4 categories with
corresponding level of response required– Examples:
• Category 1: Minor damage to physical faculties or minor injury to personnel addressable with on-site resources or limited off-site assistance
• Category 2: Major damage to physical facilities or injury to personnel requiring considerable off-site assistance
• Category 3: Organization-wide crisis requiring evacuation of facilities
Principles of Incident Response and Disaster Recovery 34
Developing the Crisis Management Plan (continued)
• Crisis management team structure:– Identifies CM team and responsibilities by names or
titles
• Responsibility and control:– Defines the level of authority granted to the CM team
leader during a crisis– Chain of command: list of officials from an individual
to the top level executive– Executive-in-charge: the ranking executive on site
when the crisis occurs
Principles of Incident Response and Disaster Recovery 35
Developing the Crisis Management Plan (continued)
• Implementation:– Details on implementation, including contingencies– Should handle optimal and suboptimal situations with
reduced services– Key tasks include communications to emergency
services, management, and employees• Crisis management protocols:
– Notification protocols for individuals based on typical crisis or emergency events
Principles of Incident Response and Disaster Recovery 36
Developing the Crisis Management Plan (continued)
• Typical protocols include:– Medical emergency: epidemic or poisoning– Violent crime or behavior: robbery, murder, suicide,
personal injury (existing or potential), etc.– Political situations: riots, demonstrations, etc.– Off-campus incidents or accidents involving
employees– Environmental or natural disasters: fires, earthquakes,
floods, chemical spills or leaks, explosions, etc.– Bomb threats
Principles of Incident Response and Disaster Recovery 37
Developing the Crisis Management Plan (continued)
• Crisis management plan priorities:– Defines priorities of effort for the CM team and other
responsible individuals– Requires the establishment of general priorities, each
with a number of subordinate priorities– Details the objectives for each priority level
• Appendices:– Critical phone numbers (communications roster)– Building layouts or floor plans– Planning checklists
Principles of Incident Response and Disaster Recovery 38
Developing the Crisis Management Plan (continued)
• Assembly area (AA): an area where individuals should gather to facilitate a quick head count
• Sample CM plan is included in Appendix C
Principles of Incident Response and Disaster Recovery 39
Crisis Management Training and Testing
• Includes desk check, talk-throughs, walk-throughs, simulation, and other exercises on a regular basis
• Training exercises unique to CM include:– Emergency roster test (notification test or alert roster
test): seeks to determine the ability of the employees to respond to a notification system
– Tabletop exercises: scenario-driven talk-through– Simulation: allows employees to practice their
responses to the simulated situation; may be done in concert with fire or emergency services
Principles of Incident Response and Disaster Recovery 40
Crisis Management Training and Testing (continued)
• First aid training:– Advisable for first responders– Should include first aid and CPR training– May include heart defibrillators
Principles of Incident Response and Disaster Recovery 41
Other Crisis Management Preparations
• Emergency kits containing:– Laminated checklist of steps in CM plan– Map with assembly areas and shelters– Laminated card with emergency services numbers– Flashlight, batteries, and reflective vests– Warning triangle markers and caution tape– First aid kit with disposable gloves– Clipboard, notepad, and pens– Permanent markers– Spray paint or other high-visibility markers
Principles of Incident Response and Disaster Recovery 42
Other Crisis Management Preparations (continued)
• ID cards:– Contain employee personal information plus
emergency information– Must protect employee privacy, however
• Medical alert tags and bracelets– Recommended for all employees with allergies,
diabetes, or other special medical conditions
Principles of Incident Response and Disaster Recovery 43
Post Crisis Trauma
• Post-traumatic stress disorder can affect anyone who has experienced a severe traumatic episode
• The organization must look out for the well-being of its employees
• Effects of trauma may not show up for some time
Principles of Incident Response and Disaster Recovery 44
Post-Traumatic Stress Disorder
• Post-traumatic stress disorder (PTSD):– A psychiatric disorder that can occur following the
experience or witnessing of life-threatening events such as military combat, natural disasters, terrorist incidents, serious accidents, or violent personal assaults like rape
– Often manifests as nightmares and flashbacks– Symptoms include difficulty sleeping, detachment– Requires outside expert assistance
Principles of Incident Response and Disaster Recovery 45
Employee Assistance Programs
• Employee assistance program (EAP):– Provide a variety of counseling services– May include
• Counselors• Legal aides• Medical professionals• Interpreters
– May be part of health benefits program
Principles of Incident Response and Disaster Recovery 46
Immediately After the Crisis
• Use assembly areas to gather employees, conduct head counts, and assess injuries and needs
• Hold an information briefing to provide employees with an overview of the situation and what the course of action will be
• Advise employees not to speak with the media• Be prepared to deal with family members:
– May need outside expert assistance– Follow up with employees receiving medical care– Personal visits to injured employees or grieving
families is advised
Principles of Incident Response and Disaster Recovery 47
Getting People Back to Work
• Start with an information briefing to all employees to squelch the rumor mill
• Include the facts, management’s response, impact on the organization, and plans to recover, plus timetables if available
• Vital to use skilled crisis management professionals to monitor and follow up on employees as needed
Principles of Incident Response and Disaster Recovery 48
Dealing with Loss
• Employees may leave the organization through:– Death– Serious injury– Unwillingness to return after a crisis
• Vital skills and organizational knowledge may be lost when employees leave
• Techniques to prepare for loss of skills and knowledge include:– Cross-training– Job and task rotation– Redundancy
Principles of Incident Response and Disaster Recovery 49
Dealing with Loss (continued)
• Cross-training:– Ensuring that every employee is trained to perform at
least part of the job of another employee– Usually occurs as on-the-job training and one-on-one
coaching– Must ensure that employees do not feel they are
being prepared for termination• Job and task rotation:
– Job rotation moves employees from one position to another
– Can use vertical and horizontal job rotation
Principles of Incident Response and Disaster Recovery 50
Dealing with Loss (continued)
• Vertical job rotation: rotating an employee through jobs in the same functional area from lowest to highest (through progression and promotion)
• Horizontal job rotation: movement of employees between positions at the same organizational level
• Task rotation: involves the rotation of a portion of a job rather than the entire position
• Personnel redundancy: hiring more individuals than the minimum number required to perform the function
Principles of Incident Response and Disaster Recovery 51
Law Enforcement Involvement
• Do not hesitate to contact law enforcement during a crisis
• Law enforcement have skills geared to crisis management:– Crowd control– First aid– Search and rescue– Physical security
• Involvement may escalate from local to state to federal agents and officers
Principles of Incident Response and Disaster Recovery 52
Managing Crisis Communications
• Managing internal and external communications during and after a crisis is an essential factor in keeping the organization together and functioning
• Some communications can be managed; some cannot be easily managed, such as those with:– Law enforcement– Emergency services– The media
Principles of Incident Response and Disaster Recovery 53
Crisis Communications
• 11 steps of crisis communications:– Step 1: Identify your crisis communications team– Step 2: Identify spokespersons– Step 3: Spokesperson training– Step 4: Establish communications protocols– Step 5: Identify and know your stakeholders– Step 6: Decide on communications methods– Step 7: Anticipate crises– Step 8: Develop holding statements to be used
immediately after a crisis breaks
Principles of Incident Response and Disaster Recovery 54
Crisis Communications (continued)
• 11 steps of crisis communications (continued):– Step 9: Assess the crisis situation– Step 10: Identify key messages for stakeholders– Step 11: Riding out the storm
Principles of Incident Response and Disaster Recovery 55
Avoiding Unnecessary Blame
• Regardless of the cause of the crisis, the media seeks to assign responsibility, especially if there were casualties
• Difference between fault and blame:– Fault: occurs when management could have done
something in line with due diligence or due care to prepare for or react to a crisis
– Blame: occurs as a human response to deal with inexplicable travesty associated with loss
• If the organization believes it is not at fault, it should take steps to avoid being blamed
Principles of Incident Response and Disaster Recovery 56
Avoiding Unnecessary Blame (continued)
• Examine vulnerabilities that could escalate to crises:– Is there more that could be done to prevent or
prepare for this event?– Will the planned reaction create further risk to
employees or others?– If the CM plan goes as expected, will you be proud
to be on the news?
Principles of Incident Response and Disaster Recovery 57
Avoiding Unnecessary Blame (continued)
• Manage outrage to defuse blame:– Be prepared to demonstrate how prepared you were
for the emergency– Seek and accept responsibility where appropriate– Consider the Johnson & Johnson response to the
Tylenol poisoning in 1982
Principles of Incident Response and Disaster Recovery 58
Avoiding Unnecessary Blame (continued)
• Questions to help avoid blame:– Should we have foreseen this and taken precautions
to prevent it?– Were we unprepared to respond effectively?– Did management do anything intentionally that
caused this or made it more severe?– Were we unjustified in actions leading up to and
following the incident?– Is there any type of scandal or cover-up related to
our involvement in the incident?
Principles of Incident Response and Disaster Recovery 59
Succession Planning
• It is extremely difficult for individuals to function following a loss of life of someone they know or if they witnessed the death
• When an organization's chain of command is broken, post-traumatic stress among the survivors may hamper action
• Succession planning (SP): process that enables an organization to cope with any loss of personnel with a minimum degree of disruption
Principles of Incident Response and Disaster Recovery 60
Elements of Succession Planning
• Succession planning is an essential executive-level function
• Six-step model directs what management should do:– Assure an alignment between the organization’s
strategic plan and the intent of the SP process– Identify key positions that should be protected by SP– Seek out current and future candidates for key
positions from among members of the organization– Develop training programs to ready potential
successors
Principles of Incident Response and Disaster Recovery 61
Elements of Succession Planning (continued)
• Six-step model (continued):– Integrate the SP process into the culture of the
organization– Ensure that the SP process is complementary to the
staff development programs throughout HR functions
• Alignment with strategy:– SP process should be created to meet the current
and future needs of the organization’s strategic plan
Principles of Incident Response and Disaster Recovery 62
Elements of Succession Planning (continued)
• Identifying positions:– Positions to include in the SP are those where the
loss of an incumbent will cause great economic loss, result in significant disruption of operations, or create a significant risk to secure operations of critical system
– Must define thresholds for economic loss, degree of disruption, or increased risk
– Identify the critical competencies and skills for each position
Principles of Incident Response and Disaster Recovery 63
Elements of Succession Planning (continued)
• Identifying candidates:– Use performance appraisals, validated psychological
assessments– Remember that managers tend to seek out and
advance those who are similar to themselves
• Developing successors:– In addition to expected training and development
activities, candidates should receive mentoring and other organizational real-time learning opportunities
Principles of Incident Response and Disaster Recovery 64
Elements of Succession Planning (continued)
• Integration with routine processes– SP process must be operated by the line managers
that form the core of the broad executive team, not HR staff
• Balancing SP and operations:– SP must have the same level of importance as other
planning organizing, leading and controlling activities common to managers everywhere
Principles of Incident Response and Disaster Recovery 65
Succession Planning Approaches for Crisis Management
• All CM plans must have provisions for dealing with losses in key positions
• SP plan must indicate the degree of visibility or transparency that will accompany the SP process
• Two degrees of transparency:– Operationally integrated succession planning: fully
visible approach that is well known to incumbents and potential successors
– Crisis-activated succession planning: concealed approach in which succession is unknown until implemented
Principles of Incident Response and Disaster Recovery 66
Succession Planning Approaches for Crisis Management (continued)
• If using crisis-activated SP, the SP mechanisms must become part of the crisis management operational plan
Principles of Incident Response and Disaster Recovery 67
Summary• Crisis: a significant business disruption that
stimulates extensive news media coverage and could have legal, financial, and governmental impact
• Crises can be caused by acts of nature, mechanical problems, human errors, or management decisions and indecisions
• Two types of crises based on rate of occurrence and warning time: sudden crisis and smoldering crisis
• Sudden crisis occurs without warning• Smoldering crisis is any problem not generally
known within or without the company
Principles of Incident Response and Disaster Recovery 68
Summary (continued)
• Crisis management: actions take by an organization in response to an emergency situation to minimize injury or loss of life
• Crisis planning committee should have representatives from all appropriate business departments and disciplines
• Crisis management team includes individuals responsible for handing the response to an actual crisis situation
• Core assets to be protected are people, finances, and reputation
Principles of Incident Response and Disaster Recovery 69
Summary (continued)
• Critical success factors for crisis management are leadership, speed of response, a robust plan, adequate resources, funding, caring and compassionate response, and excellent communications
• Training for CM is similar to that for IR, DR, and BC
• During a crisis, provide employees with the facts, management’s response, impact on the organization, and plans to recover
• Use cross-training, job and task rotation, and job redundancy to mitigate loss of critical staff
Principles of Incident Response and Disaster Recovery 70
Summary (continued)
• Do not hesitate to contact law enforcement if needed
• Critical US federal agencies include DHS, FEMA, Secret Service, FBI, and federal hazardous materials agencies
• Communications are essential to keeping the organization together and functioning during a crisis
• Succession planning is used to enable an organization to deal with the loss of key personnel
Top Related