one report

profilecarolina125673
BRM-Week3-FullSlides1.pdf
Home>Business & Finance homework help>Accounting homework help>one report

Australian School of Business Australian School of Business

Business Risk Management Week 3

Crisis Management

Australian School of Business Objectives for this Week

• To understand what a crisis is.

• To compare the traditional view of crisis management with the alternative/modern approach.

• To identify the six stages in modern crisis management proposed by Augustine.

• To examine the role of crisis planning or business continuity planning in crisis management.

Australian School of Business Crisis Management - Discussion

• What is a crisis?

• What distinguishes a crisis from a “normal” business problem?

• Why does the management of crises require special management attention?

Australian School of BusinessCrisis Management = Resilience

…the ability of an organisation to resist, absorb, recover and adapt to business disruption in an ever changing and increasingly complex environment to enable it to deliver its objectives, and rebound and prosper (a slightly modified version of the ISO 22136:2017 definition).

Australian School of BusinessResilience Cycle

Resilience requires planning, education, awareness, communication, testing, exercising and repetition

Resiliency and

Awareness

Risk Assessment

Threats and Responses

Impact Analysis

Recovery Strategies

Exercise & Improve

Australian School of Business

Brand Reputation Issues are Amplified during and post crisis

Trust means treating customers fairly and behaving ethically

83% Brand

Promise Brand

Experience

Resilient Brand Vulnerable Brand

Source: Consumer Trust Index

Indicated they would never return to a company if their personal data was breached

43%

Protecting an organisation’s brand is a key consideration

Australian School of Business

An Example Business Resilience Framework

The objective of the Framework is to mitigate the consequences from a disruptive risk event. The Framework consists of 5 components: Emergency Management, Disaster Response, Major Incident Management, Business Continuity and IT Disaster Recovery.

Business Resilience

Major Incident ManagementMajor Incident Management

Emergency Manageme

nt

Emergency Manageme

nt

1

2 Disaster

Response Disaster

Response Business Continuity Business Continuity

IT Disaster Recovery

IT Disaster Recovery

3 4 5

A Business Resilience Framework needs to align to AS/ISO 22301:2017

1. Major Incident Management

1. Major Incident Management

Objective The overall coordination of an organisation’s response to an incident or disruption, with the aim of avoiding or minimising damage to an organisation’s assets, reputation and ability to operate.

2. Emergency Management 2. Emergency Management 3. Disaster Response3. Disaster Response 4. Business Continuity4. Business Continuity 5. ICT Disaster Recovery5. ICT Disaster Recovery

Objective A set of protocols with the goal of reducing an organisation’s vulnerability to disasters and improving the ability to cope with emergency scenarios

Objective This refers to an organisation’s ability to prevent, prepare for and respond to specific disaster scenarios

Objective The organisation’s capability to continue delivering its products or services at acceptable predefined levels following a disruptive risk incident.

Objective A structured approach towards minimising damage and recovering from a disruption to key applications and systems.

Business Resilience Components

Australian School of BusinessThe Traditional View of Crisis Management

• Traditionally a crisis is seen as: – Inevitable – Often seen as unpredictable

• Leads to the focus often being on resolving or dealing with the crisis when it occurs

• These views suggest that: – There is nothing we can do to prepare for crises – The focus is on the event itself

Australian School of Business

Six Stages of Crisis Management

Augustine by contrast identifies the following six stages in the alternative approach to crisis management: • Avoiding the Crisis

• Preparing to Manage the Crisis

• Recognising the Crisis

• Containing the Crisis

• Resolving the Crisis

• Profiting from the Crisis

Australian School of Business Avoiding the Crisis

• Examine all possible scenarios • Consider the possible consequences • Estimate the costs of prevention • Plan the response

 Perfect prevention is perfectly unattainable

Australian School of Business

Business Impact Analysis

The Business Impact Analysis (BIA) is used to assess the effect that disruptive risk(s) might have on an organisation’s activities/operations (AS/ISO22300:2018) based on the following criteria.

Activities that cannot tolerate any disruption

Activities which can tolerate very short periods of disruption

Activities which could be scaled down if necessary for short periods of time

Activities which could be suspended if necessary

Australian School of Business

Business Impact Analysis (Cont.)

The BIA helps prioritise actions to be undertaken in a crisis. This is based on a prioritisation of an organisation’s activities/operations that is determined by:

1. Recovery Time Objective (RTO) Period of time following when a disruptive risk event occurs within which services must be resumed, or activity must be resumed, or resources must be recovered. NOTE: For services and activities, the recovery time objective must be less than the time it would take for the adverse impacts that would arise as a result of not providing the service or performing an activity to become unacceptable.

2. Recovery Point Objective (RPO) is the age of files that must be recovered from backup storage for normal operations to resume if a computer, system, or network goes down as a result of a hardware, program, or communications failure.

3. Maximum Tolerable Period of Disruption (MTPD) Time it would take for adverse impacts, which might arise as a result of not providing a service or performing an activity, to become unacceptable.

Australian School of Business

Preparing to Manage the Crisis

• Develop a plan for dealing with a crisis • Identify responsibilities up front • Look for the second-order effects • Test the plan

 The best laid plans are worthless if they cannot be communicated

Australian School of Business

Recognising the Crisis

• Possibly the most difficult stage in Crisis Management

– Understand how others will perceive the issue • Public perception is crucial • Be prepared to recognise that there really is

a problem Asking people who were responsible for

preventing a problem whether or not there is a problem is like delivering lettuce by rabbit.

Australian School of Business

Containing the Crisis

• Take some reasonably decisive action • Media and Public relations are crucial

–Form a separate team, but keep the business going

–Appoint a spokesperson –Contact key stakeholders – Appoint a “devils advocate”

Australian School of Business

Resolving the Crisis

• Don’t just sit there do something

Profiting from the Crisis • Rebuild public and stakeholder trust • Focus on the “long term” • Learn from the experience – adaptation • Write or improve the Business Continuity Plan

(BCP) based on the experience

Australian School of Business The Essential Elements for an Effective Crisis Management Plan

1. A representative set of planning scenarios. It's essential to create a set of crisis scenarios that serve to guide planning. This need not be an exhaustive list of everything that could happen, but it should represent a broad range of potential emergency situations that the organisation could plausibly face. Examples include: shooter on site, epidemic, bomb threat, major fire, major external terrorist attack, major economic dislocation, infrastructure failure (power grid outage coupled with extreme heat, loss of the Web or telephone lines, disruption in the water supply).

2. A flexible set of response modules. Leaders should be able to pull combinations of pre-set response "modules" off the shelf in a crisis. This is important because real crises rarely directly match planning scenarios. If response options aren't flexible and modularized, novel events or combinations of events can yield ineffective or "brittle" responses. Response modules might include: facility lockdown, police or fire response, evacuation, isolation (preventing people from entering facilities), medical containment (response to significant epidemic), grief management, as well as external communication to media and other external constituencies.

Australian School of Business The Essential Elements for an Effective Crisis Management Plan

3. A plan that matches response modules to scenarios. This is the core plan that links each of the planning scenarios to the response modules that will be immediately activated. For example, a "shooter on site" event triggers an immediate facility lockdown plus a police response plus preset communication protocols to convene the crisis-response team and warn staff.

4. A designated chain of command. Crisis demands a rapid centralized response and this, in turn, requires a very clear line of command and the ability to shift into what the military term "war fighting mode" rapidly. Otherwise the organisation responds incoherently. This means creating a centralized parallel organisation, in which the leader has a designated deputy and they, too, have a backup who would take command if the others were unavailable or disabled. It also means having a core crisis response team of perhaps five or six people who function as the leader's staff in the parallel crisis-management organisation.

Australian School of Business The Essential Elements for an Effective Crisis Management Plan

5. Preset activation protocols. Preset signals for activating and coordinating the various response modules in the event of a crisis situation. There have to be clear triggers to move the organisation from "normal" to "war-fighting" mode as well as to activate specific response modules. There also have to be "all clear" signals that shift the organisation back to its normal operating mode.

6. A command post and backup. This should be a location that can be rapidly converted to be used by the crisis response team. Requirements include the ability to rapidly connect many lines of communication, to have access to external media (TV coverage), to provide access to crisis management plans, etc. In addition, there should be a backup command post located off-site in the event that evacuation is necessary. This could be located at a home or other location, so long as the necessary bandwidth for communication and other resources is put in place so that set-up can be swift.

Australian School of Business The Essential Elements for an Effective Crisis Management Plan

7. Clear communication channels. Easily activated channels for reaching people on site and outside. For example, use of internal speakers and TV monitors to make announcements. A shooter on site, for example, triggers facility lockdown and police response but also rapid announcement that everyone should stay where they are, lock doors, hide, etc. To the extent possible there should be redundancy in these channels including backups that are not linked to the telephone system or the Web. Messages should be composed in advance. There also should be mechanisms for rapidly locating key staff (e.g. "check in" Web pages, phone-in lines).

8. Backup resources. Critical resource stocks to be tapped if necessary. Examples include backup power generation/gas supplies, modest reserves of food and water, and medical supplies. Agreements should also be negotiated with external agencies to provide specific resources in time of crisis, for example augmented private security.

Australian School of Business The Essential Elements for an Effective Crisis Management Plan

9. Regular simulation exercises. The best plans are worthless if they exist only on paper. There needs to be regular, at least biannual, exercises conducted by the crisis response team, and regular testing of channels, inventorying of resources, and the like. These tests should be done regularly, but not scheduled in order to test speed of response.

10. Disciplined post-crisis review. Each crisis provides an opportunity for organisational learning to occur and plans to be revised. But this learning only occurs if the mechanisms are in place to make it happen. A post-crisis review should be conducted by the crisis response team after each significant event. The guiding questions should be: What went well and what went poorly? What are the key lessons learned? What changes do we need to make to our organisation, procedures, and support resources?

Australian School of Business

Parting thoughts

THE BEST PLANS ARE WORTHLESS IF THEY EXIST ONLY ON PAPER. THERE NEEDS TO BE REGULAR, AT LEAST BIANNUAL, EXERCISES.

GOOD CRISIS MANAGEMENT HELPS PROTECT AN ORGANISATION’S BRAND.