Every organisation is prone to a variety of risks arising from both natural and man-made sources (e.g. human error, deliberate actions, technology) and this gives way to the occurrence of crises.
In this 21st century, security risks are increasingly complicated and interconnected – resulting in multiple failures. Organisations should come to acknowledge that risks are unavoidable but they can be counteracted with proper crisis management. A strategic crisis management plan is required to nip these risks in their buds and restore business after a crisis. Restoration of business after a crisis includes regaining and restarting the core activities necessary to transform inputs into outputs, minimising losses to the organisation and external stakeholders, as well as consolidating the learning points so future occurrences of these issues can be avoided (Pearson & Clair, 1998).
Scientific developments and technological advancements are changing the way organisations operate now and before. As such, future risks and potential failures would also differ from those in the past, rendering limited effectiveness to organisations that only hedge against risks that have occurred. As the environment around us changes and improves, risk management methods have to be adjusted accordingly.
“No organisation should be a ‘crisis-prone’ organisation – one that is highly vulnerable to risks and attacks for various reasons. Apart from the financial and intellectual property losses that will be incurred, an ‘unsafe’ organisation can also lead to employees feeling uneasy and insecure, leading to poor job performances.
Having one person making all crisis and risk management decisions can be fatal. Unlike group decision making, there is greater probability for misinformation, biases and lack of understanding to cloud the minds of one individual and negatively impair the security and risk decisions made.
A successful crisis management plan must begin with commonly agreed objectives such as:
- Ensuring the organisation can restore operation with minimum resources expensed
- Finding alternative means to replace affected resources
- Actively prevent past risks from re-occuring while pre-empting future risks
Active Risk Management
Organisations should monitor the potential gaps and cracks that surface from changes in work processes or adoption of new technologies which perpetrators can take advantage of to cause harm. Following which, preventive measures should be quickly taken to manage the risks, according to their probability of occurrence and impacts. If there are too many risks, Risk Assessment and the use of comparative risk values can come in to differentiate the major risks from the less pressing ones. Risk Control protocols can be categorised into the three main categories namely: pre-crisis, crisis-response and post-crisis.
Regular tabletop exercises involving parties apart from the Crisis Management Team is crucial to help the organisation anticipate against unforeseeable risks and crises. It also ensures that everyone knows what to do in a crisis to help the organisation adapt and restore normal operations. All members of these table exercises should come with an open-mind and be willing to learn from one another. Transparency is also of utmost importance because members are required to share about past crisis management strategies. For example, what were the areas which were well done, how quickly was a crisis managed, what could have been better done and were there any unfounded assumptions that should have been challenged or validated. All of this information has a direct impact on the organisation’s future response towards risk. These exercises also foster cooperation, collaboration and coordination towards risk management within the organisation.
Revisit your organisation’s Risk Management Program on a regular basis to ensure that it can keep up with the ever-changing risks in our surroundings. Test the assumptions and always revise the Risk Management Protocols accordingly to ensure robustness and effectiveness.
Pearson, C. M., & Clair, J. A. (1998). Reframing crisis management. The Academy of Management Review, 23(1), 59–76. https://doi.org/10.2307/259099within the Security Department, the trend moving forward is to build a team with individuals holding different skills and experiences in cyber security, information systems, business continuity, reputation management and crisis management.