Crisis Management: Dangerous Risk Triggers
Guest post by Merleen Yap, CBCP
Member of GRC Committee, SID
How management and staff handles and responds to stakeholders determines the make or break of the organisation’s brand. It is their call of duty to respond in the best interest that the brand of the organization does not get damaged too greatly.
Federal Emergency Management Agency- U.S. Department of Homeland Security – research have shown that many organizations focus too much on data backup and systems, but failed to identify other risk triggers that may disrupt the business operations. (i.e., security risks, fire safety risks, operations risks, corporate communication risks, supply chain risks).
These triggers are sometimes overlooked and not timely reported to management. As such management could not provide adequate support or oversight due to the lack of reporting. After all, staff may have thought that areas that were not reported were probably not the strategic concern of the company, and further overlooked on those gaps.
And now here’s the catch, what determines the completeness in the reporting to management? Most staff prefer to report metrics that are positive metrics, metrics that detail how well they have done to achieve their KPI. The danger is that too much positive reporting may have hidden and dangerous risk triggers.
So how can the situations of under-reporting risk triggers be prevented? They can if only the performance reporting metrics were set up front. They can only if there is open communication which allows the senior leadership to be open to the risks identified by the staff.
Management should provide adequate support for the organization to set concrete performance reporting metrics and allow open communication to highlight any dangerous risk triggers. (For example, what is the current level of the organisation’s readiness to recover in the event of crisis.)
Like one old saying, “all work and no play makes Jack a dull boy,” I would say “All plans make an organization a very dull organization.” Plans needs to talk. Plans need to communicate. Plans need to act upon.
Plans need to be alive and the organization needs to feel alive.
The fundamentals of business continuity planning are to provide sufficient contingency should any crisis arises. Management should prioritize on the areas of concerns that need to enhance the organisation’s business continuity planning. Failing to do so, may present an irreversible damage of a risk trigger.
For a holistic management update on crisis management, management should consider and seek the reporting of the following “EPR” risks of the organisation:
The EPR metric is a 3-dimensional monitoring of the organisation’s vulnerability to operational disruption, the organisation’s business continuity planning performance and the organisation’s recoverability readiness.
With good reporting metrics set up front, the performance of the business continuity planning will be better assured that the dangerous risk triggers do not get hidden.