To:
From:
Subject:
Please enter the text in the same order as shown in the Image below
Take Courses
Get Certified
Attend Events
Explore Resources
About

Crisis Management: Dangerous Risk Triggers

September 19, 2017 Leave a comment DRI Admin

Guest post by Merleen Yap, CBCP
Member of GRC Committee, SID

How management and staff handles and responds to stakeholders determines the make or break of the organisation’s brand. It is their call of duty to respond in the best interest that the brand of the organization does not get damaged too greatly.

Federal Emergency Management Agency- U.S. Department of Homeland Security – research have shown that many organizations focus too much on data backup and systems, but failed to identify other risk triggers that may disrupt the business operations. (i.e., security risks, fire safety risks, operations risks, corporate communication risks, supply chain risks).

These triggers are sometimes overlooked and not timely reported to management. As such management could not provide adequate support or oversight due to the lack of reporting. After all, staff may have thought that areas that were not reported were probably not the strategic concern of the company, and further overlooked on those gaps.

And now here’s the catch, what determines the completeness in the reporting to management? Most staff prefer to report metrics that are positive metrics, metrics that detail how well they have done to achieve their KPI. The danger is that too much positive reporting may have hidden and dangerous risk triggers.

So how can the situations of under-reporting risk triggers be prevented? They can if only the performance reporting metrics were set up front. They can only if there is open communication which allows the senior leadership to be open to the risks identified by the staff.

Management should provide adequate support for the organization to set concrete performance reporting metrics and allow open communication to highlight any dangerous risk triggers. (For example, what is the current level of the organisation’s readiness to recover in the event of crisis.)

Like one old saying, “all work and no play makes Jack a dull boy,” I would say “All plans make an organization a very dull organization.” Plans needs to talk. Plans need to communicate. Plans need to act upon.

Plans need to be alive and the organization needs to feel alive.

The fundamentals of business continuity planning are to provide sufficient contingency should any crisis arises. Management should prioritize on the areas of concerns that need to enhance the organisation’s business continuity planning. Failing to do so, may present an irreversible damage of a risk trigger.

For a holistic management update on crisis management, management should consider and seek the reporting of the following “EPR” risks of the organisation:

  • Exposure Risks (whether the country’s security risks, medical risks, facility risks, transportation risks have been considered)
  • Performance Risks (whether the organizations have carried out meaningful business continuity management that is in line with the latest industry best practices coupled with a good corporate communication plan and periodic fire safety checks)
  • Recoverability Risks (whether the organizations have tested their contingency arrangement should crisis occurs).

The EPR metric is a 3-dimensional monitoring of the organisation’s vulnerability to operational disruption, the organisation’s business continuity planning performance and the organisation’s recoverability readiness.

With good reporting metrics set up front, the performance of the business continuity planning will be better assured that the dangerous risk triggers do not get hidden.