What is a Crisis Management Plan and Why You Should Have It
Today’s IT environments have contributed many positives for business. Costs have decreased and productivity has increased for many companies, especially with Cloud and hybrid environments. But, it’s important not to forget that your IT isn’t immune to crises.
The time to deal with a crisis is not when it happens but long before. You need to plan and implement a Crisis Management Plan that can help you minimize the potential damage from a crisis. It’s not a matter of if a crisis will occur, but when.
What Crises Will You Face?
A crisis is defined by the International Standards Organization (ISO) as a situation with a high level of uncertainty that disrupts the core activities and/or credibility of an organization and requires an urgent action.
There are a wide range of potential crises from health and safety incidents to business disruptions to reputation damage that can cause immediate and long term negative impact to an organization.
According to a Pillsbury and Levick survey of organizations from a variety of industries, the three most likely crises that would affect their businesses are: Data breaches (62%), Natural disasters (51%), and power outages (40%).
What is the cost of a crisis?
No matter what the type of crisis, the potential costs to your business are significant. Insufficient crisis management will result in significantly longer recovery times and a direct impact on downtime and lost revenue.
According to an IBM Global Study on the Economic Impact of IT Risk, even a minor disruption can lead to dollar losses in the 6-figure range.
You also need to factor in reputational damage as part of a Crisis Management Plan. This is often overlooked by businesses. It’s not always easy to quantify reputational damage. The best way to look at it is how much reputational damage might turn into more tangible issues such as loss of customers, decreased sales, etc.
What can you do to prepare for a crisis? Have a Crisis Management Plan!
The best way to handle any crisis you face is to have a Crisis Management Plan in place that will help you deal with the fallout. Here is a 3-step approach you can take to create and implement a solid Crisis Management Plan:
Create a Crisis Management Plan that provides a framework for responding to any crisis, such as the ones mentioned above: health and safety incidents, business disruptions or reputational damage.
Establish a hierarchy of crisis management teams to expedite crisis assessment and response.
Prepare a Crisis Communications Strategy to respond quickly and appropriately to a crisis and minimize any reputational damage to your company.
What is a Crisis Management Plan?
So what is a Crisis Management Plan exactly? A Crisis Management Plan is a set of processes to manage a wide range of crises, from health and safety incidents to business disruptions to reputational damage. This includes emergency response plans, crisis communications plans and the steps to invoke a Business Continuity Plan and/or a Disaster Recovery Plan when applicable.
A good Crisis Management Plan should cover as much contingency as possible. Certainly, your IT staff will have a major role when the crisis involves your IT infrastructure. However, everyone in a business will have some role to play in recovering from a crisis, no matter how big or small.
Even staff not involved in the actual recovery will need to be kept up-to-date to know how they can continue with their jobs. Directly involved staff will need to know their roles in the recovery and any pertinent time frames for completing their tasks.
Why have a Crisis Management Plan?
Companies that don’t have a Crisis Management Plan are far less able to minimize the impact of crises and thus tangible damages (such as security breaches) and intangible damages (such as reputational damages) will be that much greater. As you will note in the example below, the consequences can be quite serious.
Case Study: How a large enterprise without a Crisis Management Plan (mis)handled a major crisis
A large consumer retail chain suffered a data breach through malware that compromised the information of many millions of customers’ credit and debit cards as well as shopping records (home addresses, phone numbers and email addresses).
The company’s IT security team became aware of the breach fairly early on in the attack but chose to take no action. Because the company involved was well-known, a security blogger somehow found out about the attack and wrote a blog about it. The company waited until the next day to issue a response.
Further damage ensued when the company opted to put a dollar limit on its compromised credit cards instead of terminating them. People with compromised cards were not notified and the cards remained active. These people only found out about the data breach when they reached the company-imposed artificial credit limit.
Finally, upper management did virtually nothing in response to the situation, even after the breach became widely known, until three weeks later. This came in the form of a public statement by the company’s then CEO on a business cable network show.
Customers and critics perceived the company as purposely trying to hide information, which caused the story to remain front and centre in the news for 6 weeks.
Eventually, the company stated it cost $148 million in compensation and expenses and nearly $1 billion in lost revenue. Profits fell 46%.
How can a Crisis Management Plan help minimize damages?
Until a crisis is detected, an organization can expect some financial damage. You can’t fight what you don’t know about. However, once the crisis is known, effective management by following a well-thought out, realistic Crisis Management Plan can allow a company to minimize the damage.
It’s an opportunity to improve stakeholder and/or customer perceptions and honestly deal with the after effects. The perceptions of honesty, truthfulness and demonstrated quick actions to deal with crisis will keep your company’s reputation from suffering.
Let Us Help You with Your Crisis Management Process
A thorough Crisis Management Process is something every company should have, whether big or small. Our team of experts have worked with many organizations to help them build an applicable Crisis Management Plan. Contact us today and we will be happy to discuss how you can improve your organization’s crisis survival at all levels of your business.