In this week’s bulletin, Charlie discusses the debate around the definition of crisis management and what he thinks crisis management should cover.
I was chatting with one of my clients in Renfrewshire and we talked through his crisis management plan, which he had taken from the book ‘prTS 17091, Crisis Management – Guidance for Developing a Strategic Capability’ published in 2017. This book states that crisis management should only be used for unprecedented or extraordinary events. This view of crisis management was also pointed out to me by David Rubens when we had a catch up for our Level 6 ISRM class. He said that in the 21st century, a major incident could often be described as unprecedented, giving the impression that within the past 20 years, we have suffered a series of unusual and one-off events or that have not been similar. It is difficult to predict risk management for events that haven’t happened before, for example, 9/11, Hurricane Katrina and more recently, COVID.
I disagree that crisis management should only consider unprecedented and extraordinary events. The whole definition of crisis in prTS 17091 is an “unprecedented or extraordinary event or situation that threatens an organisation and requires a strategic, adaptive, and timely response in order to preserve its viability and integrity.” I am happy that the term “threatens an organisation” as a crisis has to be seen as a greater magnitude than day-to-day incidents. If the crisis is not dealt with successfully, the organisation could fail, go bankrupt or be bought. If the organisation is in the public sector it can be disbanded, its functions given away, or its management is replaced. The purpose of crisis management is for the organisation to “preserve its viability and integrity”. The part of this definition that says response should be a “strategic, adaptive, and timely response” does not entirely convince me of how to respond to a crisis, but this debate will have to take place for another day!
I have been working on ISO 22361, the replacement of prTS 17091, with a number of colleagues from around the world. We had the same debate when we looked at the definition of a crisis. I remember how much time I devoted to clarifying the definition of crisis quite vividly, and I was supported by Linda Nelson, who runs ICOR. We managed to get the definition expanded to include events that are known risks and risks pertinent to the industry or environment the organisation operates in.
The example I used during the debate is the risks for a shipping company. If you are a small shipping company you may have only one ship, you know that there are several known risks to your ship. They are almost the same as when man took to water. The ship can sink, hit a rock and be damaged, go off course, propulsion break down, the crew go on strike, the list of the possible incidents are endless. The organisation knows that if anything happens to their ship it will be a crisis, and if they can’t resolve the issue and get their ship operating quickly enough, the company will fail. For me, this is a simple example of where an organisation already knows what a crisis event could be. There may be a whole load of other unprecedented and extraordinary events that could happen to their company, but these are in addition to the known crisis events. When you are helping an organisation develop their crisis communications capability, you start the plan by discussing what they see as their five biggest brand and reputation risks. Then, you might build your crisis communications response and preparation around these five risks. You are identifying the known crisis events. Like my shipping company example, other unprecedented and extraordinary events could occur, but it is a lot more challenging to prepare for the unknown, unprecedented incidents.
There are many known risks that could cause organisations to go into a crisis. They can vary from the effects of the pandemic to natural disasters, from product recall to bad behaviour and even dishonesty from senior executives. Perhaps some events could cause an organisation’s failure and require senior management to manage the situation actively, therefore involve a crisis level response. Examples of these events include the Starbucks racism issue, the Colonial Pipeline cyber-attack or the Brewdog open letter of alleged bullying. We have discussed in other bulletins that organisations should have a robust incident management response structure that should be able to deal with unprecedented and extraordinary incidents and when there is no specific contingency plan in place. Organisations should use risk assessments to identify events that would cause a crisis and threaten the organisation. Also, take steps to put mitigation measures in place or have a contingency plan for dealing with that particular incident or, even better, do both. In conclusion, crisis management is not just for those unprecedented and extraordinary events but should also be considered and planned for known risks.