Reposted from Security Management Magazine
Receiving executive buy-in for crisis planning and program development can be a daunting endeavor. Most private sector industries have few legal or regulatory requirements specific to security or crisis programing. Additionally, security and crisis management programming are sometimes not viewed as priorities or aligned with the corporate mission. Finally, most security and crisis professionals are left to try to influence executives with limited budgets and staff. I learned these challenges the hard way.
For more than 10 years in the U.S. federal government, I was part of several large-scale emergency responses and planning efforts at the executive level. I engaged with top-level government executives and foreign dignitaries. In 2012, I transitioned to a private sector emergency management role. I was hired to create comprehensive crisis response plans and to train all employees—including the C-suite—on their roles during a crisis. I assumed the importance of life safety would be an easy sell. I was wrong.
I quickly learned that I didn’t speak the language of my new environment and I no longer had the power I had in government to issue mandates and penalize non-compliance. For me to be successful in the private sector, I needed to rethink my approach and find a way to influence people without having many rules or regulations that I could lean on.
So, I developed a three-pronged strategy that helped me create successful crisis management programs for Fortune 500 organizations and other businesses and non-profits.
Speak to the Bottom Line
A major difference between private and public sector emergency management is what words are used to get financial buy-in. In the public sector, statements such as “leveraging the whole community” or “will save the most lives” are typical lead sentences when requesting federal grant dollars. In the private sector, though, the emphasis is on words that show how you can save the company money.
For instance, if you are trying to earn buy-in to launch an emergency notification system to communicate with your employees during a crisis, concentrate on the following: Show how the system will decrease the company’s risk, demonstrate how implementing this system positively impacts the corporate brand, and highlight what types of insurance coverage discounts the company can receive if the system is implemented.
A sample pitch to get funding for the system could be:
Investing in a company emergency notifications system:
- Will mitigate the company’s risk by giving our employees vital information during and after an emergency which decreases potential injuries and possible downtime;
- Showcases that we put our employees first and that safety is an important corporate value; and
- Will lead to a 15 percent decrease in insurance rates, saving the company thousands of dollars annually.
Always Leverage a Bad Day
There is no single better way to get funding and executive support for your crisis management program than a real-life crisis. This is the time the security lead or crisis manager can truly show how they can add value by stepping up to coordinate the company’s response. Use the crisis as the springboard to establish the process and protocol you want to build and document for future responses. Simply pulling together a basic situation briefing call with the core corporate functions provides an important example of how corporate response should be done, and it quickly defines your company’s duty of care to its employees.
Try to side-step the whole “who is in charge” issue. In the private sector, the CEO is always in charge, and no corporate crisis plan should suggest otherwise. It is the job of the security or crisis leader to showcase how they can facilitate the response by ensuring the appropriate corporate leaders are around the table and guiding them through the decision-making process.
I witnessed hours lost in one company’s response because the security director got into a shouting match with his C-suite executives by saying he was the incident commander, and they must follow his directions.
The title incident commander is standard public sector vernacular, but it doesn’t translate to the private sector. In any corporate crisis plan, designate an incident coordinator instead—that simple word change completely shifts dynamics and avoids many clashes over territory. Finally, remember the private sector is rarely required do anything when it comes to crisis planning.
Flip the Script
In the United States, traditional public sector emergency planning is driven by a set process and protocol typically outlined by the U.S. Federal Emergency Management Agency’s (FEMA) rules and regulations. There are federal guidelines that specifically detail the requirements for hazard mitigation plans, emergency operations center plans, etc. Although there are industry best practice recommendations for crisis management and planning in the private sector, such as ISO 22361, requirements are few and far between. Often, businesses will recognize they need some sort of crisis response plan, but the focus will be on the management of a specific incident instead of looking at the big picture—how the company will respond as whole and what expectations, roles, and responsibilities employees have.
One of the best approaches to get engagement for corporate crisis planning is to conduct a very simple 30-minute tabletop discussion with your executives. This is the opposite of the public-sector approach of building your plan first then testing it with an exercise. I have found a lot of success by gently throwing executives into the deep end. Talking through a crisis scenario quickly opens executives’ eyes to their personal knowledge gaps and how these gaps pose a risk to the company.
I once did a tabletop discussion with executives that focused on their earthquake response protocol (knowing they had none). My 30-minute timeframe got extended to more than two hours because the executives realized they had no protocols in place. Of top concern was they had no plans on how to communicate with their employees nor knowledge of what do if the server in the building was damaged. A server that had no fail-over and held millions of dollars of intellectual property content. That conversation got me the support I needed to develop a comprehensive all-hazards response plan and crisis communication protocol for the company.
Although there are many differences between public and private sector crisis planning, no corporate plan should be done in a vacuum without engagement with local emergency response agencies. Many corporate plans have been written without communicating with local responders or even an understanding of local emergency response protocols, and this makes the company’s crisis response plan worthless. For example, if you don’t know in what type of situations local responders will shut off access to a company’s facilities, you and your employees can find yourselves not being able to work for days.Imagine an ice storm or flash flooding scenario—consider the lost time and risk to employees if a company has no protocols to notify employees of unsafe conditions. If the company engaged its local emergency manager or researched local resources, security and emergency management leaders could have gained valuable information that they could have included in their plan. Specifically, list where to find local road information or notifications, develop company protocol on when employees should check-in with management before getting on the road, and create a continuity of operations protocol to define what work can be completed virtually.
See Original Post