About this time last year, most of us in North America were making plans for summer vacations, spending time with families, and preparing strategies for new business initiatives to launch after Labor Day. Let’s just say that 2020 will be remembered as the year when things went a bit askew. The COVID-19 outbreak and ensuing global pandemic hit the world’s general population by surprise, and dramatically changed both our short and long term personal and business plans.
Did you have a crisis plan in place?
If you said yes, you are indeed a rare, highly intuitive if not prophetic individual, as not even Nostradamus had this one pinned. No, this one caught us all off-guard, and now we all need to make sure that we are prepared for if and when we are challenged with a similar crisis situation. Aside from the physical health hardships imposed by the current pandemic, there are also many damaging byproducts that public and private organizations and businesses in every market sector need to consider.
The Need for Crisis Standard Operating Procedures (SOPs)
There are four primary components of crisis management planning that will help ensure you are prepared when a crisis situation strikes:
- Identify potential threats and liabilities as quickly and accurately as possible
- Assess the crisis and its potential impact/threat to people, property and assets
- Protect your network and data
- Execute Standard Operating Procedures (SOPs) for who, what, when, where and how the crisis plan will be executed
Let’s take a look at each of these SOPs planning stages.
Identify Potential Threats and Liabilities
As the ancient Chinese military strategist Sun Tzu stated in The Art of War, “If you know the enemy and know yourself, you need not fear the result of a hundred battles.” A well-recognized business strategy taught in MBA programs for many years, this philosophy is also pragmatic for dealing with crises of all magnitudes.
As we have learned from the COVID-19 pandemic crisis, it is critical to heed the advice of recognized medical professionals to gain insight as to the severity of the risk at hand, and its potential threat to the safety and well-being of all those impacted. The same holds true for weather-related situations and other unknowns that may impact operations. This will help your management team better determine when and where you need to implement mission critical safeguards, such as deploying remote work practices and procedures, altering work schedules, establishing occupancy limitations at facilities, launching health screening technologies, and sterilizing common workspaces.
Begin by creating a list of the possible events that would be considered a crisis for your organization. Typical lists include crisis events such as pandemics, severe weather, burglary, vandalism, workplace violence, an active shooter, cyberattacks, and life safety incidents such as a fire or loss of power. Knowing what types of threats you may face will help you identify and address all your areas of vulnerability.
Assess the Crisis Situation
Consider each risk individually to evaluate the potential impact each could have on your organization. Take into consideration how likely each type of incident is to occur, along with the possible damages that could result from them. These would include financial consequences, injury or loss of life, liability, business interruptions, and any other adverse effects you might experience.
Protect Data and Network Integrity
Evacuating a facility and shifting to remote workforces poses many challenges for organizations that were simply not set-up to operate in this manner. The first and foremost challenge deals with maintaining fluid communications and data access. Fortunately, cellphones have been a long-established business tool, and with the proliferation of voice over IP (VoIP) phone systems, many organizations have already integrated (or easily can integrate) workers’ cellphones into their facility’s phone systems. These integrations enable mobile phones to seamlessly function as “extensions” on the organization’s business phone system.
The greater challenge lies with the organization’s IT infrastructure, now facing new demands by enabling remote access to critical data. The first step to help maintain network integrity is to perform basic endpoint hygiene and connectivity performance tests of networked devices. Assuming that all facility network infrastructure is in good working order and protected with the appropriate physical and cyber security measures, one should theoretically not experience any unexpected technical challenges outside of the impending or current crisis situation.
The big challenge arises with remote personnel now working on their own personal devices. When and wherever possible, IT needs to validate that personal devices being used for business purposes have adequate anti-malware capabilities in place, and work with individuals who have identified risks, as well as high exposure and privileged access rights, to ensure their devices are adequately protected. Other cyber protections such as multifactor authentication and new passwords, and secure VPN connectivity are also highly essential to ensure that only authorized personnel have access to enterprise level applications, servers, and stored data.
And as many organizations have learned during the pandemic, employees not accustomed to working remotely will be more prone to distractions and may not be as vigilant about security. This scenario presents hackers with the ideal opportunity to launch phishing schemes targeting personal devices that now have access to an organization’s network. Personal awareness and vigilance are equally important in protecting network integrity as the cybersecurity technologies IT puts in place. Hence it is important to communicate cybersecurity best practices and remind remote personnel them that they must remain focused and hypervigilant to suspicious activities. Send frequent reminders and remind them of established policies and procedures, and how they can access reference materials if they need a refresher. Additionally, clearly identify what to do and who to contact if they suspect their devices may have been compromised.
Executing SOPs in a Crisis
When an emergency arises, it should immediately trigger the applicable Standard Operating Procedures that you’ve prepared in advance to address specific crisis situations. Ideally, these SOPs should be routinely revisited to ensure they are up to date with current systems and technologies, and the responsibility for their execution should be clearly assigned to a specific crisis task force team.
Having an SOP playbook in place enables organizations to address challenges quickly and efficiently, but there are some fundamental solutions that should be in place that can actually prevent certain risks. A few examples include:
- Perimeter alarm and access control systems to prevent unauthorized entry to facilities that may need to be evacuated
- Surge protection for all critical systems to guard against damage from power spikes and surges
- Secure data verification systems in place to ensure that video and other critical data is being properly transmitted without loss of information at all times
- Up-to-date backups of all system data, intellectual property and other information stored off-site or in third-party storage
Every security team member should know exactly where to go and what to do in the event of each type of incident. The same is true for the population you have on-site each day, whether they are staff members, students, contractors, or any other regular visitors. There are many software systems, including PSIMs, that support this type of planning and help to guide employees should a crisis occur. Checklists can also be invaluable tools to ensure no steps are overlooked in the most stressful moments.
Even with these core safeguards in place, there is still risk, so part of your preparation will be to research and install products and solutions that help deal with incidents during and after they happen. When it comes to protection you should take everything into consideration, including your premises, electronic systems, assets, IT network, and most important of all – your personnel. You should also assess your insurance needs with an expert advisor to ensure you are appropriately covered for all eventualities.
Once you have all of this in place, you need to make sure your systems work well and that all individuals are familiar with their roles. Run through your notification systems, information chains and other alerts on schedule to correct any gaps or shortfalls. By taking the steps outlined here, you help minimize damages, liabilities and help better protect the health and welfare of personnel and the organization.