Relevant Contents
Need Tailored Business Continuity Insights?
Contact Us Now for Personalized Guidance!
The heart of any crisis management program is the crisis management plan. In today’s post, we’ll tell you what should go into this critical, much-misunderstood document.
Related on MHA Consulting: Here Be Dragons: 5 Myths of Contemporary Crisis Management
Every organization needs a crisis management program. Those organizations that lack them are at greater risk for impacts to life safety and property when a crisis strikes. They are also more likely to face delays in recovering from the event and resuming normal operations.
A Critical Document
At the core of every crisis management program is the crisis management plan, a document that sets forth the critical steps of the company’s emergency response plan.
This critical document plays a key role in three areas of the crisis management program:
- In writing it, the company is pushed to think through and make key decisions about how it will manage a crisis and not act in an ad hoc manner.
- The plan guides the crisis management team (CMT) during training and exercises.
- Your plan is the company’s playbook during an emergency.
- The plan has predefined and approved decisions and content to speed execution and management during an event.
Confusion Over the Plan
We at MHA Consulting have discovered over the years that there is a lot of discussion and questions out there over what should go into a crisis management plan document.
Other common questions concern how long the document should be, how it should be formatted (on paper? as a PDF?) and how widely it should you should distribute it.
For a discussion of these and other topics, keep an eye out for our forthcoming ebook, The MHA Consulting Crisis Management Handbook.
In today’s post, I want to confine myself to that first question, about what should be included in the CM plan document.
What Belongs in the Crisis Management Plan
In looking at what should be included in a CM plan, the first thing to talk about is what should not be included. What are the things you should leave out? The answer is, a lot of fluff that finds its way into many organizations’ CM plans. This includes long statements of philosophy, wordy rationales, cartoons, funny clip art, and similar extraneous material.
The CM plan is not about audit information, policy or justification.
It is a utilitarian document whose main focus is on things that need to be done. The core of it is a series of checklists divided among the CM team member roles that set forth the action items and responsibilities of each role.
Core Content of a CM Plan Document
Every organization’s CM plan will be different because every organization’s priorities, industry, and culture are different.
However, there are several sections that should have a place in almost every crisis management plan.
Below is a list of those sections in the order in which they commonly appear and an explanation of each. Remember, these are intended to be functional and useful in moving the execution forward.
- Purpose. A brief statement of the purpose of the plan. Emphasis on brief.
- Crisis Management Priorities. Very important. This is a list of the things the plan is devised to protect. Typically the priorities listed are some version of the following: protecting life safety, stabilizing the incident, protecting and preserving property, and recovering the business.
- Planning Assumptions. The assumptions under which the plan is written. Some facilities or scenarios might fall outside the assumptions and necessitate specific callouts.
- Plan Scope. Sets forth the facilities and functions that are and are not covered by the plan.
- Event Response Process Flow. A section containing a flow chart showing which actions should be taken by which parties after an emergency arises. Helps the team execute the plan in a disciplined manner.
- Event Detection. Could also be referred to as Plan Triggers. Sets forth what type of occurrences are sufficient to trigger the CM team to start assembling and the command center to be revved up.
- Event Severity Matrix. Includes a table laying out various kinds of occurrences that could affect different areas across the organization (life safety, facilities, etc.). Categorizes them on a scale from low priority to high impact and at different levels of seriousness, from Level 1 (least) to Level 4 (most).
- Event Classification System. Gives examples of different impacts that can happen to various areas across the organization. These are tied to the Severity Matrix.
- Plan Activation. Sets forth who has the authority to activate the plan, pull the team together, and open the command center. Typically includes the head of the company. Should include others as well (e.g., any two CMT members) to ensure there’s always someone available who can set the plan in motion.
- Command Center. Identifies the primary and alternate physical command centers and the virtual command center. Gives their locations and any special criteria. Provides the bridge for the virtual command center. The physical centers should also have the ability for someone to call in.
- Disaster Declaration Criteria. States what events are sufficient to result in a declaration of a disaster and who has the authority to make the declaration. Specifies the actions that will occur once a disaster is declared.
- Communication Guidelines. Details who will handle communicating to internal and external stakeholders and the media and social media about the event. Explains the who, when, and how (e.g., emails, text, calls, announcement over loudspeaker) of communication across the board. Prewritten scripts for foreseeable situations should be included in an appendix.
- CMT Organizational Structure. Includes an org chart of the CM team. Indicates who is on the core team (typically, members of such critical departments as finance, human resources, legal, IT, facilities, security, and corporate communications). It also shows who is on the extended team. Members of the extended team are called in on an as-needed basis, depending on the emergency. Different organizations will have different departments represented on the core team depending on their industry.
- CMT Members – Roles and Responsibilities. The heart of the crisis management plan. Contains detailed checklists of action items for each role. The items specify things the person in that role needs to do or look into. This will take up many pages of the CM plan.
- Appendices. The appendices included will vary from organization to organization. Common ones are: a list of CMT members and alternates with their contact information, a list of critical vendors and suppliers, a collection of pre-written communication scripts, guidelines for coping with acute staff shortages (such as might be caused by a pandemic), and instructions and templates for reporting and documenting the event.
The CM Plan Document is the Linchpin
The crisis management plan document is the linchpin of the CM program. By making sure your CM plan includes the content and sections set forth above, you are on your way to making sure your company can respond in a rational, effective, and focused manner when and if an emergency strikes.
Further Reading
For more information on crisis management and other hot topics in business continuity and IT/disaster recovery, please see these recent posts from MHA Consulting and BCMMETRICS:
- Crisis Response in Today’s Breakneck World
- Here Be Dragons: 5 Myths of Contemporary Crisis Management
- 7 Tips to Help You Protect Your Brand in a Crisis
- In Time of Crisis: What to Do in the First 24 Hours
- Crisis Management Team-Building Ideas: If It’s Good Enough for Google…
- It Shouldn’t Be a Scavenger Hunt: Accessing Critical Recovery Information in Crisis
- 4 Rules for Effective Communication in a Crisis
Richard Long
Richard Long is one of MHA’s practice team leaders for Technology and Disaster Recovery related engagements. He has been responsible for the successful execution of MHA business continuity and disaster recovery engagements in industries such as Energy & Utilities, Government Services, Healthcare, Insurance, Risk Management, Travel & Entertainment, Consumer Products, and Education. Prior to joining MHA, Richard held Senior IT Director positions at PetSmart (NASDAQ: PETM) and Avnet, Inc. (NYSE: AVT) and has been a senior leader across all disciplines of IT. He has successfully led international and domestic disaster recovery, technology assessment, crisis management and risk mitigation engagements.