Recently I was running a hurricane drill for a client in the Caribbean and they were inspecting their campus to see what debris needed to be removed. Each year, as part of the drill, we look for things that could ‘float or fly’ during a hurricane and make plans for proper storage or disposal. This year, one of the items listed in the report was “an umbrella in a manhole.” There it was, literally a beach umbrella, closed, stuffed down an open manhole. The story goes that someone was working in the manhole on a rainy day. He opened the umbrella over the hole (with the pole hanging down in the hole) and he kept dry.
Finding the umbrella on the client’s campus caused a chuckle during the drill and it was easily disposed of. But it made me think of a chronic problem that I see as I discuss crisis management and business continuity strategies with people I meet. All too often I’m faced with people who approach the topic with a strategy that amounts to opening an umbrella in a manhole. Those of you old enough to remember the old Road Runner cartoons might recall poor Wile E. Coyote holding a tiny umbrella over his head while an anvil fell from the sky above. Naturally the umbrella was no match for the Acme Anvil and the coyote (and his umbrella) were crushed. The cartoon still makes me laugh. The business people I meet (in the manhole) feel protected by their umbrella and may even be sheltered from a light rain – but they lack the structural support to provide real protection when the anvils start to fall. Let me give you some examples:
- One organization may feel like they have business continuity under control because their people are just going to work from home during a disruptive incident. Their strategy is an umbrella in a manhole. During a minor incident, like a brief snow storm, their people work from home for a day and everything works well, and they feel like the umbrella protected them adequately. But as soon as heavier objects start to fall – like the loss of their main office building during the busiest time of year, or a major system outage – the team doesn’t know how to communicate with one another, isn’t prepared for how to set priorities during a prolonged crisis and can’t function effectively while they are dispersed. The umbrella can’t handle the burden of the heavier objects. Their strategy crumbles.
- Another company has a Crisis Management Plan but never tests it. They have spent a lot of time as a committee working up their response strategy, but they never shared it with the executive team. Their Crisis Management Plan is an umbrella in a manhole. They experience a minor incident and manage it without ever referencing their plan and they feel pretty good – like the umbrella protected them. But then heavier objects fall on them…a cybersecurity attack, social media backlash over a statement made by their CEO, a product recall – and they realize that their umbrella doesn’t have the structure in place to protect them from a real crisis. The umbrella isn’t good enough. They aren’t prepared.
- Yet another company takes a lackluster approach to Disaster Recovery. They have Disaster Recovery solutions in place and may even test them occasionally. But their Change Management process doesn’t do well to keep their Production and DR environments in sync. Their DR strategy is an umbrella in a manhole. After a minor incident, they must recover a system and they don’t refer to their disaster recovery plan. They use their technical team’s knowledge of the affected system and, (wouldn’t you know it) the recovery works…albeit very slowly. The bottom line is, they are re-assured. Their umbrella worked. But then a major outage occurs, and they realized that they never established priorities for recovery, don’t have updated documentation and their recovered systems are not up to date with what was running in production. Someone has dropped a bowling ball down the manhole and the umbrella folds in on itself.
- Then there are those who implement a crisis management plan only because they are compelled to do so by their regulators. They do it simply to check off a box in an audit. It’s an umbrella in a manhole. Most often when plans are created to check off a box, they lack the depth and structure required to make the plans any good. Remember, the point isn’t to have a plan, the point is the have a relevant plan. By developing a plan just to check off a box, the company is doing a disservice to the regulator, to it’s stakeholders and to itself.
The “umbrella in a manhole” approach might protect you from the occasional, minor incident, but quality plans are the result of having a structured program in place that executes disciplined principles.
Let’s take a look at a few of the principles that will help you have a proper manhole cover in place:
Executive Sponsorship. This is the cornerstone of your program’s foundation. Without strong executive leadership, your program could be doomed from the start.
Steering Committee. In addition to the executive, gather a team of senior business leaders and meet on a regular basis to identify gaps in the program and establish priorities for building maturity.
A Program Framework. Some sort of policy document is required to define the scope, terminology and standards of the program. This should define the program’s governance structure, compliance requirements for plan updates and testing, program measurement metrics, and an overview of roles and responsibilities during a crisis.
Crisis Response. In addition to having a Crisis Management Plan, make sure your initial response is well document and socialized throughout the organization. Simplify it to four or five steps, put it in a nice picture or flowchart and make sure your key players are instinctively aware of how to respond.
Plans. Business Continuity Plans, a Crisis Management Plan and a Disaster Recovery Plan are critical to your organization’s readiness. But they are just minimum requirements. Additionally, plans can cover things like cybersecurity incidents, privacy breaches, pandemic and emergency management procedures.
Exercises and Tests. It’s one thing to have a plan, but the plan doesn’t become alive until it is exercised. Run through a plausible scenario and follow the procedures outlined in your plan. Be willing to admit where the plan needs to change. Make improvements and test it again. Often plans can be significantly improved just by making minor clarifications to key instructions. Plan maintenance and continuous improvement (as a result of exercising) is a critical part of being prepared.
Don’t get me wrong, I love umbrellas. Think of their versatility. They are needed on the sunniest of days and during a terrible rain. When it comes to protecting us from the sun or the rain, grab your umbrella. But to protect your organization – grab something with a bit more structure. You’ll thank me later.
Senior crisis management and business continuity consultant with cybersecurity response and crisis communications experience in a leadership role, spanning twenty years.
Proven track record in developing and implementing crisis management, business continuity and cybersecurity response protocols, and establishing mature business continuity programs and effective governance models.
Quick to build relationships and achieve results working collaboratively with business leaders and executives.
Extensive experience in the development and execution of tabletop and operational exercises with a focus on measurable results that lead to overall improvement of plans and programs.
Feel free to contact Mark to see how he can help your organization be well prepared: [email protected] or on Twitter @mhoffman_cbcp