CHAPTER 8: PERSONAL AND ORGANISATIONAL RESILIENCE

8.1 Context

“It may sound strange but many champions are made champions by setbacks.” – Bob Richard, two-time Olympic Pole Vault champion.

As advanced security professionals, there is an expectation that your specific personal value to the organisation will probably be at its premium, and most visible, during major incidents and acute organisational challenges. In prior chapters we examined effective ways to carry out business planning, networking, investigations, communications and compliance. Now is the time to draw our prior learning together: how we can nurture our personal preparedness for crisis management and also develop our own contribution to the wider mission of a business organisation’s resilience? (We briefly touched upon what was meant by ‘organisational resilience’ in Chapter 2.)

The aim of this chapter, therefore, is to provide sharper focus upon several approaches to individual, and also organisational, resilience. Individual and organisational initiative towards individual and team development is investigated in this chapter’s first half. We establish how personal and group resilience tactics can, ultimately, act as a very useful contributor to overall organisational resilience. This chapter’s second half will familiarise the reader with commonly deployed strategic crisis management and continuity concepts and techniques. We will refer to several eminent studies that have taken place since the 9/11 terrorist atrocities. This concluding chapter will:

•   address issues of personal fitness, health and well-being, teamwork and intellectual development

•   provide context for crisis management studies

•   explain some conceptual frameworks that enable us to understand a crisis, and its attendant phases

•   provide lessons and techniques in crisis management and longer-term organisational recovery from communications management professionals beyond the security industry sphere

•   wrap-up: what will give your company the competitive edge before, during and after a crisis?

8.2 Personal resilience

“That which does not kill us makes us stronger.” – (Friedrich Nietzsche)

Do levels of individual physical fitness matter in respect of contributing directly to an organisation’s overall resilience? President John F Kennedy thought so: “Our growing softness, our increasing lack of physical fitness, is a menace to our security”, he said of American society in the early 1960s, as he launched a National Council of Fitness.

Fast-forward four decades from Kennedy’s Camelot presidency and we see that four small groups of people could seize control of four civilian passenger jets and direct them into crowded buildings; armed with just bolt cutters and knives. A few weeks later in 2001, other cabin crew staff and passengers were luckier. They physically suppressed and stopped terrorist, Richard Reid, from detonating an onboard bomb. Reid had explosives tucked in a shoe-heel and was travelling upon a crowded Boeing jet running from Paris to Miami. Tragically, almost 100 commercial airliners have been attacked by bombs, a third by identifiable terrorist groups, with the loss of some 3,000 passengers since 1933, reports Aerospaceweb (1). In reality then, individual physical fitness and resilience can only take us so far along a path of delivering a resilient ‘culture’ or organisation.

In fact, it is fair to say that the root causes of insecurity during modern times have little connection to personal fitness and resilience. The industrialisation of weapons technology and the continued proliferation of weapons of mass destruction, continues to threaten humanity, or vast portions of it. For each year, between 2004 and 2011, the world spent $60 to $80 billion dollars each year on buying arms and defence products, stated the website of Global Issues in 2014 (2). Moreover, investment by public authorities and private companies in cyber security management has burgeoned. Companies have had servers and Cloud accounts hacked, bank accounts plundered and research and development blueprints stolen and counterfeited. Customers have had their ATM cards cloned, tax records destroyed and compromised, PIN numbers and passwords scanned and stolen. Governments and their military systems have been comprehensively breached by outsiders and insiders committing physical and information attacks upon their colleagues and countries.

Why then should we be worried by individual fitness and personal resilience issues, at all? How can physical fitness or personal resilience training help larger organisations become more ‘resilient’? Moreover, as Diana Coutu from the Harvard Business Review puts it: “Why do some people and some companies buckle under pressure? And what makes others bend and ultimately bounce back? (3)” The following sections will show us that President Kennedy, a decorated World War Two combatant in his own right, was more than justified to make his claim; improved personal resilience is an important contributor to organisational and societal sustainability and drive.

What is personal resilience?

Author of Positivity (2009), Dr Barbara Fredrickson, suggests that resilience is predominantly achieved by psychology and perspective management. Due to in-built survival mechanisms, human brains are naturally wired to give more attention to negative events than positive ones. But in all likelihood, we experience many more positive events than negative ones. One essential ingredient to building resiliency, reports Fredrickson, lies in “noticing and appreciatingthose positive experiences whenever and wherever they occur” (4).

In researching for her article ‘The 5 best ways to build resilience’, Jessie Sholl examined, by way of first hand interviews, how some people appear to flourish during a crisis, while others seriously stumble. Scholl carried out a series of qualitative interviews with people who, it would be fair to describe, had experienced significant personal adversities. Scholl also carried out a copious literature review of materials from psychologists who had also examined, or sought to identify, the key personal ingredients to an emerging notion of resiliency. Scholl arrived at her conclusion that ‘good physical conditioning’ was a significant enabler to the personal resilience shown at later, and more traumatic, life trajectories (5).

8.3 Personal resilience initiatives in the workplace

Private sector companies are fast adopting fitness and personal resilience programmes in order to hopefully enhance overall organisational resilience. Equilibrium is Deloitte’s wellness programme, aimed at “improving employee wellness and well-being” (6). Accountancy company, Deloitte, say that such an initiative “addresses the physical and psychological components of well-being by offering information sessions and programmes covering fitness, health, diet, alternative and complementary therapies, yoga classes, etc. throughout the year on a subsidised basis” (7). The company has a strong tradition in advocating employee wellness and gives the following reasons for this:

•   It provides a strong incentive for employees to remain with their current employers

•   It reduces absenteeism due to injury, illness or burnout from heavy workloads

•   It improves working relationships and increase attitudes to productivity

•   It helps manage stress

•   It increases job satisfaction (8).

Research by diet advice company, Weight Watchers^®, found that overweight employees have twice as many health-related absences and “higher levels of presenteeism”: defined as remaining on the job but not functioning at full capacity (9). In the US, a lot of data suggests that stress management and obesity-related illness account for a vast majority of employee health issues. Researchers at the American Institute for Stress found that some 80% of employees felt stress at work, while more than 55% of absences are caused by family-related issues (10). Moreover, due to soaring insurance costs for employers, the past two decades have witnessed a large upsurge in workplace well-being programmes across the US. According to Philadelphia-based health assistance company, Health Advocates: “80% of these [workplace impacting] diseases are lifestyle-related … and having a wellness program on-board that helps employees adopt healthier habits can significantly reduce illness, accidents, absences and medical claims. Increased productivity is a further hard-to-ignore benefit” (11). Much evidence on this and related concerns has been gathered by the US Department of Health and Human Services and an NGO called Partnership to Fight Chronic Disease. Other corporate success stories include The Bank of America which introduced health risk assessments (HRAs) alongside educational materials. The following year, the bank then reported a ten percent decrease in healthcare costs. Biometric screenings that include blood cholesterol tests were offered in addition to HRAs by US communications company, Cadmus. Reported results are significant: employees spent half as much time in hospital after the initiative compared to before. Cadmus’s healthcare bill was reportedly reduced by 75% (12). Another large company, Caterpillar Inc, reports that it has reduced workplace insurance premiums by $75 per employee since introducing HRAs (13). Other companies, including furniture maker Wi, pharmaceutical giant Johnson & Johnson, and insurance company, Florida Blue, also publicly endorse and offer employee’s fitness programmes and outcome-based incentives reported the Wall Street Journal. Thus, a whole range of American companies sense that they receive great, untapped, extra value, from promoting personal fitness and resilience strategies at work.

Some US public authorities have taken a more persuasive approach. Houston city authority staffers reportedly received a $25 payroll ‘surcharge’ if they did not fulfil mandated personal fitness tasks. Obligations included taking part in HRAs, biometric testing, meetings with health coaches, and signing up for a fat reduction programme (14).

Nevertheless, organisations and managers may wish to be aware of possible negatives. With outcome-incentive schemes, there is an increased likelihood of false or embellished reporting on self-reporting HRAs. Moreover, disproportionate or random high-intensity activity bursts, or peer pressure to undertake such, may be hazardous to an individual. (Or a company balance sheet, if they get sued.) As could poor vetting or lax recruitment processes around so-called personal fitness and self-help coaches. Furthermore, many employers and employees in the civilian sphere might feel very uncomfortable that corporate decision making, such as promotions and incentives, are being based around performance in workplace physical resilience initiatives. In some domains, pressures upon employees (even within police and army domains) to conform to physical resilience initiatives may attract rebuke from interest groups, or even feel the full force of legislation that seeks to protect human rights and eradicate workplace discrimination. Following criticism of some British police forces, a report published by Sir Tom Winsor during 2012 claimed that some 52% of Metropolitan Police Service officers were ‘overweight’. In another force “barely one in four male officers was normal weight”, the Daily Mail reported (15). A ‘bleep test’ system was introduced, with the bar set much lower than other comparable police forces around the world. But a year later, a female Chief Constable of Cleveland scored just 4.2 reported the Northern Echo, some 1.2 lower than the minimum pass grade (16). Some cases of discrimination have been brought against UK police service employers. The attempt to improve personal fitness performance has floundered in the UK temporarily. It was firmly critiqued by the UK Police Federation, a body that represents beat police officers:

“Physical fitness is just one aspect of a police officer’s role. In some roles it is more important than in others and officers who undertake those roles should have an appropriate fitness test. Health and well-being is equally important and officers should get regular health screening and help to keep in shape. But to value physical prowess above all other things has the potential to change the whole culture of the service and devastate diversity.” (17) (18). Food for thought indeed.

8.4 Developing team resilience from personal resilience techniques

In their 2013 study Defining and characterising team resilience in elite sport, eminent team sports psychologists, Morgan, Fletcher and Sarkar, make clear connections between successful individual and team sporting activity and implications for entrepreneurs and companies that may wish to learn from such practices. Security practitioners thus might wish to note:

The structural aspects of team behaviour, such as shared interpretive responses, role systems, rules, and procedures, enable these groups to organise themselves during a crisis. “These aspects appear to allow team members to co-ordinate their responses to stressors through agreed patterns of behaviour and the subsequent creation of collective sense making”, assert Morgan, Fletcher and Sarkar (19). The analysts continue: “Research has suggested that resilience at an organisational level is more likely to occur when rich social capital exists” (20). ‘Social capital’ has been usefully defined as “the goodwill available to individuals, groups, and organisations that lies in the structure and content of their interpersonal relationships” (21).

Shared experience and collective processing of adversity is critically important to develop team resilience, suggest Morgan et al. “… resilient teams regard setbacks as a natural part of their development” (22). From their significant study, the group conclude that, “Team resilience was defined as a dynamic, psychosocial process which protects a group of individuals from the potential negative effect of the stressors they collectively encounter. It comprises of processes whereby team members use their individual and collective resources to positively adapt when experiencing adversity” (23).

Other researchers have also focused on identifying key ingredients to team resilience. The US-based Search Institute found that “resilient inner-city youth often have talents, such as athletic abilities that attract others to them”. These kids had “an uncanny ability to get adults to help them out” (24). In another important academic study, Develop Resilience – lessons learned from Olympic Champions, produced after London’s 2012 Olympics, Sarkar and Fletcher interviewed 12 Olympic champions “from a range of sports regarding their experiences of withstanding pressure during their sporting careers”. They found that athletes demonstrated a “number of key psychological attributes” (25). The pair then developed a personal resilience framework – core personality components that were demonstrated by each of the athletes. There appear to be five common traits for success: “positive personality, motivation, confidence, focus and perceived social support”, the researchers concluded (26). The following quote illustrates just how the quality of team confidence and collective, optimistic consciousness, can influence an individual evaluation of pressure:

“We were playing against (country) in our last game … and I looked at my opposite number and I thought ‘I’m going to give you a hard time today kid’ … Now if I had that internal thought 18 months ago, I would have thought I was being schizophrenic or something, because if you’re going to lose to anybody it’s (country), but I just felt I had such confidence in … my team’s ability.” (27)

Imagine, for a moment, propelling that type of undefeatable corporate mindset against your competitors! Furthermore, an ability to focus with intensity on the incumbent task was also found to be a critical aspect of personal resilience practiced by the world’s best athletes. Each was able to focus on themselves and tasks (challenges) that they had to achieve in order to win the greater prize. They did not permit themselves to be distracted by others. Gold medallists also learned to focus on overarching process, rather than specific event outcomes. Each could ‘switch’ their focus on and off to suit demands that they faced (28). This author is probably not alone in betting that our top entrepreneurs have only reached the peaks of enterprise by deploying precisely the same intensity of focus at key junctures in their working lives.

Military team-building techniques and resilience

Dr Martin Seligman’s Building Resilience model is instructive in the manner that it develops physical fitness values into a mental health well-being strategy for one of the most kinetic, high-risk security job roles: the modern day soldier. Seligman is one of a group of leading psychologists who have worked with the US military to develop the Comprehensive Soldier Fitness (CSF) programme. This consists of three ‘components’:

1.   A test for psychological fitness

2.   Self-improvement courses following the test

3.   Master resilience training for drill sergeants.

According to Seligman, who has been regularly dubbed the ‘father of positive psychology’, the core components are based on the mnemonic, PERMA: positive emotion, engagement, relationships, meaning, and accomplishment. Seligman calls these, “the building blocks of resilience and growth” (29). A ‘spiritual fitness module’ within a CSF self-improvement course “… refers not to religion but to belonging to and serving something larger than the self”. This component is of particular relevance to corporate leaders argues Seligman: “… it begins with the ancient wisdom that personal transformation comes from a renewed appreciation of being alive, enhanced personal strength, acting on new possibilities, improved relationships, or spiritual deepening” (30).

8.5 Crisis management and personal resilience

When we dig among the plethora of well-researched and documented work in fields of ‘organisational resilience’ – perhaps by taking isomorphic lessons from company survival strategies – we can see prima facie that little comment is made around levels of personal fitness being an enabler to survival.

During many other cases of mass casualty terrorism, or natural disasters, including the Mumbai 2008 terrorist bombings and siege, a key survival strategy was quick mental activation, followed by the physical ability to evacuate safely and cover long distances on foot away from the danger zone. For example, the full impact of a fully-loaded vehicle borne improvised explosive device may well be felt over several thousand metres. The 2008 hotel bombing carried out in Islamabad by drivers of a dumper truck laden with explosives, reportedly caused injuries more than two kilometres away, due to the direction of explosive blast and limited barriers within its path. 54 people were killed and several hundred badly injured, and a deep earth-crater was left to the Marriott Hotel’s frontage (33). Furthermore, first responder resources are very limited in any domain and must attend to priority cases, if indeed they can access the incident at all. Physical and group self-preservation is the order of the day in most emergency scenarios, in any environment, at least to begin with.

The late resilience expert, Dr Al Siebert, stated: “highly resilient people are flexible, adapt to new circumstances quickly, and thrive in constant change. Most important, they expect to bounce back and feel confident that they will. They have a knack for creating good luck out of circumstances that many others see as bad luck” (34). It therefore seems entirely logical that the stamina and strength of each individual is of direct material significance for the team, and organisation, which they contribute their physical, emotional and intellectual matter to.

8.6 Crisis management and communications

“While not all crises can be foreseen, let alone prevented, all of them can be managed far more effectively if we understand and practice the best of what is humanely possible.” – Professor Ian Mitroff, 2001 (35)

Corporate communications techniques

High-profile organisations and people attract lots of media attention. Major incidents and crises attract a whole lot more. However, the responsibility for dealing with such a volcanic eruption of public interest can fall on the shoulders of employees and executives that are often unfamiliar with professional media management techniques and inexperienced in crisis management. Dynamic and multifaceted media management strategies have been practiced by government institutions and agencies since the advent of mass media, and they provide some lessons for security and emergency planners.

The brutally honest and professional memoir by President Bill Clinton’s former communications director, George Stephanopoulos, All Too Human: A Political Education (1999), provides a valuable insight into how any major organisations can understand crisis communications management (37). Stephanopoulos’ isomorphic-style work provides a frank assessment of public relations mistakes made by the White House in the early 1990s. Four key lessons that I’ve identified spring out from the book for corporate leaders:

1.   The near-simultaneous occurrence of multiple crises – often with interconnected causes, and lethal proximity to ‘contagion’ – that can impact one organisation, and one team. Lesson: Overall strategy is critical.

2.   The relationship between sustained crisis management, employee mental health well-being, and how decision making can become skewed into supporting narrow, inward-looking agendas. Lesson: Look after your own staff.

3.   Dealing with several simultaneous official investigations and subpoenas, for cases with serious implications for employees and executives. Lesson: Get expert advice and be transparent.

4.   Develop processes in order to establish feedback on performance of the media operation. Lesson: Don’t alienate reporters and ask friendly reporters for feedback.

Crisis communications: Process and stages

According to crisis communications author, RL Dilenschneider, a crisis can create three related threats: public safety, financial loss and loss of good reputation. Another academic in this sphere, W Timothy Coombs, wrote in his prominent 2007 article Crisis Management and Communications that, “effective crisis management handles the threats sequentially”. Timothy Coombs adds: “The primary concern in a crisis has to be public safety. A failure to address public safety intensifies the damage from a crisis” (38). Barton’s (2001) report Crisis in Organisations II and Coomb’s own report Code Red in the Boardroom build on prior research from other CM academics who suggest that, in practice, crisis management can be more effective if it is divided into three tangible phases:

1.   Pre-crisis: Crisis management plans are developed; a designated CM team appointed; CM plans are practiced regularly; public messages can be ‘pre-drafted’ as much as possible.

2.   Crisis response: How management actually respond to a crisis. Barton (2001) recommends that the CMT include the following business functions: finance, legal, human resources, public relations and security.

3.   Post-crisis: Investigate and implement improvements for next CM response; fulfil commitments made during crisis; wind down intensity – no longer CM mode but drop down a gear, yet still maintain strategic CM controls (39).

Instructing information

Speed, accuracy and efficient audience targeting will be critical tasks for the communications teams and public-facing executives during a crisis. Leaders and spokespeople will not want to face the wrath of media and stakeholders without being armed with key facts, pledges and an option to carry out news briefings from secure and appropriate locations. In scenarios involving public safety, incorrect information can be fatal to an organisation’s reputation. For public authorities, getting baseline information disseminated to the general public may well be their mandated responsibility. Public ‘warning and informing’ duties often involve the dissemination of instructing information. Such notices, via broadcasts or electronic communications, can help to publicise evacuation and shelter points, safe routes and diversions, public health information and other useful messages. Speed and reach of communications are critical at the beginning of a crisis. However, police or security agencies may be worried that extra security risks could be posed by too widely disseminating certain public safety arrangements. Many business communities (and individual companies) have responded since 9/11 by developing their own, fast-time notification systems, such as the popular i-modus SMS and email alerts that get disseminated to registered City of London-based security managers. This initiative, and many similar ones, can deliver specific, relevant and actionable information to trusted individuals and subscriber organisations. Wherever security practitioners operate in the world, they are recommended to research and join such useful information notification networks (40).

Verbal crisis responses

Expressions of regret and sympathy by any culpable organisation can, of course, lessen the damage to its waning reputation. Nevertheless, research demonstrates that expressions of sympathy can bring unintended consequences. Here’s the good news: Cohen (1999) evaluated some legal cases and discovered that early expressions of concern did actually help to lessen the volume of claims made against an organisation that was perceived to be responsible for a crisis (41). However, Tyler’s prominent research (1997) demonstrated that lawyers may try to suggest expressions of concern are admissions of guilt (42). Another communications analyst, Hearit (2007), cautions that regular expressions of sympathy and concern can begin to appear routine, suggesting a loss of emotional intelligence by company representatives. Without delving too much into psychology as a discipline, an informed awareness of Kubler-Ross’s model, popularised as the ‘five stages of grief’, published in his magnum opus, On Death and Dying (1969), would serve any CM or crisis communications planners well (44).

Argenti’s study into companies responding to the 9/11 attacks in America emphasised the importance of turning attention internally after any major crisis or disaster. By interviewing managers and assessing survivor responses following conversations some time after the Manhattan disaster, Argenti recommends: “employees need to know what happened, what they should do, and how the crisis will affect them” (45). One institution which lost several hundred colleagues allocated surviving staff volunteers to act as unofficial liaison with families of co-workers who had not survived the atrocities (46). In the aviation industry, trauma teams are immediately despatched to support staff and families of victims. Such psychological support services are now routinely made available across several sectors including major banks to support robbery victims, usually their own employees. As mordant as it may be, news organisations and social media platforms are inundated with macabre, microscopic and unreasonable, cynical examinations in relation to the conduct of organisations, leaders and employees during times of major organisational and personal turmoil.

W Timothy Coombs has devised and developed various crisis response frameworks. With fellow crisis communications expert, Bill Benoit, Timothy Coombs has developed a Master List of Reputation Repair Strategies. However, before we plough ahead and report headline best practice, it is worth reflecting that not every substantial incident does require a formalised crisis management response. A well-intended overreaction can sometimes create more harm than good. That said, we finish this section by offering an easy-to-use crisis communications checklist.

8.7 Social media and crisis management

In 2011, the journalist, Eric Berto, wrote poignantly on his blog: “The state of journalism is in flux. It is either morphing into a free-for-all landscape where anybody with internet access is a journalist. Or, the true journalists still exist in the form of somebody willing to conduct interviews, challenge the information given and work to gather facts not normally accessible” (48). Berto may well be correct. But as security practitioners, we have to treat and respond to the risks of the world as we find them. And, undoubtedly, although social media platforms may be the root cause of a major security incident, or add rocket fuel to a crisis, they do also provide a tremendously influential tool for problem solvers and security solutions innovators. Bad communications cause crisis; good communications can fix them.

At the time of writing, the number of people registered to use social media continues to rise. Where people are online, around seven out of ten use a social media platform. In the US, seven out of ten online users have a Facebook account (though up to three out of four might not regularly use it). One in four use LinkedIn, Pinterest, Twitter and Instagram. For many years, governments, businesses and NGOs have attempted to research and identify methods to use social media platforms to communicate during a major incident or crisis.

Governments and public authorities turn to social media to both get messages out around major incidents and also to receive critical information. A study commissioned by the Red Cross found that social media is the fourth most popular source to access emergency information (50). It also found that around half of all respondents would sign up for emails, text alerts, or social media alert applications for emergency information if services were offered. Private companies, such as BP in responding to the 2010 Deepwater Horizon explosion and oil spill disaster in the Gulf of Mexico, have become proficient at using social media as a frontline communications tool in emergency recovery scenarios. Although criticised for widespread mishandling of the broadcast media following this disaster, BP were able to publicise emergency contact details and offer direct contact with financial relief schemes via its Facebook pages. This conversation loop did assist some impacted companies and communities to access compensation. The ability for companies, NGOs and governments to communicate directly via social media with audiences, especially during periods of intense mass media hostility, has provided a literal lifeline and significant tool of organisational resilience for many under-fire enterprises.

The business security advisory group, CSARN, produced a mini-report explaining how organisations can use social media to support emergency response and recovery (51). Some of the headline scenarios identified by CSARN include:

•   Social media is now very frequently used by individuals, companies, community groups and public authorities to warn others of unsafe areas or situations, to contact friends and families of those injured and rescued, and also to raise vital funds and materials for disaster relief missions.

•   Facebook, the world’s largest social network, supports many emergency-related organisations, including the Information Systems for Crisis Response and Management (ISCRAM) initiative, The Humanitarian Free and Open Source Software (FOSS) Project, as well as numerous university-based disaster programmes.

•   Social media has played an influential role during a wide range of emergency situations. Sometimes for better or for worse. For example, in 2009, the US Army used its twitter account to provide coverage and updates during the Fort Hood shooting. The American Red Cross uses its social media platform in a similar way to issue alerts of potential disasters. Yet terrorists, for example during the 2008 Mumbai sieges and other mass casualty attacks, do often use social media to identify where visitors and guests may be hiding.

•   Social media can be used to help update communities on response and recovery actions, and to keep communities informed of developments. It can help alleviate the pressure and diversion that can sometimes be contributed to by excessive or unreasonable broadcast and print press media demands.

•   According to FEMA’s Craig Fugate, social media helps government to communicate in a crisis because it is interactive and enables two-way, ‘backchannel communication’ with those impacted, or those with better information. Fugate also identified a disadvantage for government and victims of violence. US Armed Forces were effectively tied into a race against social media platforms when it came to the sad duty of informing service personnel families of their deaths (52) (53).

•   People in disaster impacted areas have started to use social media to alert the authorities to their needs, especially when telecommunication networks go down. Researchers studying the 2011 Japanese earthquake and tsunami found that individuals ‘tweeted’ for assistance when they could not use a phone. This also posed a problem for emergency services as tweets for assistance were often ‘retweeted’ after the victims had already been rescued. This presents the problem that social media could add to the confusion and misinformation that often arises from emergencies and disasters (54).

•   One major concern, though, are threats and risks caused by the deliberate provision of inaccurate information (misinformation) to confuse or harm response efforts.

8.8 Crisis management standards and guidance

Enterprise risk management academic and practitioner, Geary Sikich, is one of many commentators who – without dismissing the role of industry guidance – does illustrate the real world limitations of abstract manuals which provide us with instructions for supposed standards and best practices. High-profile incidents and organisations are susceptible to intensely hostile and resource-sapping scrutiny. In his reflective article, Lessons from the BP Deepwater Horizon Catastrophe, Sikich (2010) states that some organisations are stuck in an “activity trap; dominated and controlled by internal process and outdated controls. Such constrained business practices could run contrary to changes in the operating environment or developments in technology”. From his isomorphic studies, Sikich observed that, “Risk and non-risk management professionals are so enmeshed in following risk-management protocols promulgated by financial and non-financial regulatory and oversight entities that they cannot see the risk for what it really is. They get caught in the ‘activity trap’” (55). One particular company failure attracted Sikich’s ire. In his critique of BP’s response he found that: “… eventually, procedures become a goal in themselves – [they were] doing an activity for the sake of the activity rather than what it accomplishes” (56).

Nevertheless, guidance reports and national and international standards are exceedingly important to access for security and emergency planners. Security and emergency planners may themselves be newcomers to various corporate crisis scenarios, but this won’t prevent their non-security colleagues carrying a realistic expectation that they are, de facto, the first port of call in a crisis! Published and emerging BSI and ISO standards and guidance documents available to support crisis management and incident management are given below.

Business Continuity Institute: Good Practice Guidelines (2013) are, according to the BCI, “the independent body of knowledge for good Business Continuity practice worldwide. They represent current global thinking in good Business Continuity (BC) practice and now include terminology from ISO 22301:2012, the International Standard for Business Continuity management systems” (57).

PAS 200:2011: Crisis Management – Guidance and good practice was published in September 2011. PAS 200 is a Publicly Available Specification (PAS) sponsored by the UK Government’s Cabinet Office and developed in partnership with the British Standards Institution. It is aimed primarily at top managers and aims to inform the development of a strategic crisis management capability within an organisation (58). The PAS differentiates between the terms incident and crisis and refers to the BS 25999 Business Continuity Management standard for incident management guidance and requirements.

ISO 22320:2011: Societal Security – Emergency management – Requirements for incident response, was published in 2011. ISO22320 includes requirements for integrated and cooperative aspects of incident response between organisations at international, national and regional levels. This includes, for example, creation of command and control structures that facilitate information flows and inter-operability between organisations. Prof Ernst-Peter Döbbeling, convener of the working group that developed the standard said: “ISO22320 is a valuable tool that all types of organisations can use to improve their capabilities in handling incident response in any crisis” (59).

ISO 22301:2012: the International Standard for Business continuity management systems – Requirements was published midway through 2012. According to its ISO sponsor: “ISO22301 provides a framework to plan, establish, implement, operate, monitor, review, maintain and continually improve a business continuity management system (BCMS). It is expected to help organisations protect against, prepare for, respond to, and recover when disruptive incidents arise” (60).

BS 25999: This British Standard for business continuity management systems was replaced by ISO 22301:2012 above. It was withdrawn in 2013, but remains well-known. In the BSI document, the practice of business continuity management was defined as the: “… holistic management process that identifies potential threats to an organisation and the impacts to business operations those threats, if realised, might cause, and which provides a framework for building organisational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities” (61).

Chapter 8: Wrap-up

In closing this chapter on Personal and Organisational Resilience, we reflect on some of the approaches and attributes that will help your company gain the competitive edge. These include:

•   As advanced security professionals, there is an expectation that your specific personal value to the organisation will probably be at its premium, and most visible, during major incidents and acute organisational challenges.

•   Due to in-built survival mechanisms, human brains are naturally wired to give more attention to negative events than positive ones. But in all likelihood, we experience many more positive events than negative ones. One essential ingredient to building resiliency lies in “noticing and appreciating those positive experiences whenever and wherever they occur”, reports resiliency expert Barbara Fredrickson.

•   Shared experience and collective processing of adversity is critically important to develop team resilience, suggests Dr Paul Morgan, Head of Sport at Buckinghamshire New University. He adds that, “resilient teams regard setbacks as a natural part of their development”.

•   Many national and city public authorities run ‘Warn and Inform’ message alert systems for businesses and security managers in their area. Bulletins send out ‘instructing information’ in the occurrence of a major incident. These crisis communications initiatives can deliver specific, relevant and actionable information to trusted individuals and subscriber organisations. Wherever security practitioners operate in the world they are recommended to join such useful information notification and peer-support networks.

•   Be prepared to get proficient with using social media! The ability for companies, NGOs and governments to communicate directly via social media with audiences, especially during periods of intense mass media hostility, has provided a literal lifeline, and significant tool of organisational resilience for many under-fire enterprises.

•   National and international standards are exceedingly important to access for security and emergency planners. Security and emergency planners may themselves be newcomers to various corporate crisis scenarios, but this won’t prevent their non-security colleagues carrying a realistic expectation that they are, de facto, the first port of call in a crisis! Security practitioners should familiarise their teams with all guidance and standards documents and requirements that are made available to support crisis management and incident management.

On a closing note, it is the aforementioned ‘holistic’ process of business continuity that, ultimately, clients are now asking security consultants to protect. Traditional threats and risks have by no means gone away. It’s just that the role of a modern security practitioner has shifted from being a predominantly protective site and assets person, into emerging as a leading contributor towards overall organisational resilience. The definition of an entrepreneur is somebody who sets up a business, taking on financial risks in the hope that they make a profit. I very much hope that this book has helped you thrive in taking risks and decisions as a business entrepreneur; whether in your own company or somebody else’s. But I also sincerely wish that this edition has helped you to better protect other entrepreneurs and businesses as they too seek to turn a profit in our uncertain and remarkable world.

References

1)   Aerospaceweb (2014), ‘Commercial Airline Bombing History’, accessed and downloaded on 06/05/2014 at: www.aerospaceweb.org/question/planes/q0283.shtml

2)   Global Issues.org (2014), ‘The Arms Trade is Big Business’, accessed and downloaded at: www.reuters.com/article/2014/02/05/us-usa-retailers-cybersecurity-idUSBREA1409H20140205

3)   Coutu, D., (2002), ‘How Resilience Works’, Harvard Business Review, May 2002

4)   Fredrickson, B., (2009), ‘Positivity’, Crown Archetype

5)   Sholl, J., (2011), ‘The Five Best Ways to Build Resiliency’, Experience Life Magazine online, September 2011. Accessed and downloaded on 16/05/2014 at: http://experiencelife.com/article/the-5-best-ways-to-build-resiliency/

6)   Deloitte website (2006), ‘Workplace initiatives’, accessed and downloaded on 12/05/2014 at: https://mycareer.deloitte.com/ie/en/students/life-at-deloitte/workplace-initiatives

7)   Ibid.

8)   Deloitte website (2006), ‘Workplace wellness: Organised wellness’, accessed and downloaded on 12/05/2014 at: www.deloitte.com/view/en_gb/uk/6ef976787e090310VgnVCM3000001c56f00aRCRD.htm

9)   Miller-Kovach, K., (2007), ‘Weight and the Workplace’, accessed and downloaded on 12/05/2014 at: www.weightwatchers.com/images/1033/dynamic/GCMSImages/weight_workplace.pdf

10)   The American Institute of Stress, (2007), ‘Job Stress’, accessed and downloaded on 12/05/2014 at: www.stress.org/archives/

11)   Health Advocate (2007), ‘Guide to workplace wellness: healthy employees, healthy bottom-line’, accessed and downloaded on 12/05/2014 at: www.healthadvocate.com/downloads/whitepapers/WorkplaceWellnessGuide.pdf

12)   McQueen, M., (05/12/2006), ‘The Road to Wellness is Starting at the Office’, Wall Street Journal, 5,

13)   Wieczner, J., (08/04/2013), ‘Your Company Wants to Make you Healthy’, Wall Street Journal, accessed and downloaded on 12/05/2014 at: http://online.wsj.com/news/articles/SB10001424127887323393304578360252284151378

14)   Ibid.

15)   Doyle, J., (2012), ‘Fat cop crackdown: Police officers too unfit for the beat face pay cut… and later retirement looms to current head’, Daily Mail, 15/03/12: accessed and downloaded on 16/05/2014 at: www.dailymail.co.uk/news/article-2115335/Fat-cop-crackdown-Police-officers-unfit-beat-face-pay-cut--later-retirement-looms-current-head.html

16)   Northern Echo (23/07/2013), ‘Chief Constable fails fitness test’, accessed and downloaded on 14/04/2014, and subsequently redacted, at: www.thenorthernecho.co.uk/news/10704384.Chief_constable_fails_fitness_test/?action=complain&cid=12028487

17)   Police online (2014), Winsor Part 2 Update: Why an annual fitness test is not a ‘one size fits all’ solution. April 2014: accessed and downloaded at: www.policemag.co.uk/editions/349.aspx

18)   Police UK.com (2014) Police Fitness, accessed and downloaded on 16/05/2014 at: http://policeuk.com/fitness_test.php

19)   Morgan, P., Fletcher, M., Sarkar, M., (2013). ‘Defining and characterizing team resilience in elite sport’, Elsevier Psychology of Sport and Exercise

20)   Ibid.

21)   Lengnick-Hall and Beck (2005), ‘Adaptive Fit versus robust transformation’, accessed and downloaded on 12/12/2014 at: http://jom.sagepub.com/content/31/5/738.short

22)   Op. Cit., Morgan et al

23)   Ibid.

24)   Op. Cit., Coutu

25)   Sarkar, M., Fletcher, D., (2012), ‘Developing Resilience - Lessons learned from Olympic Champions’, The Wave Lane 4, Issue 4 October 2012

26)   Ibid.

27)   Ibid.

28)   Ibid.

29)   Seligman, M., (2011), ‘Building Resilience’, Harvard Business Review April 2011

30)   Ibid.

31)   Ibid.

32)   Op. Cit., Coutu

33)   Telegraph online (21/09/2008), ‘Islamabad Marriott Hotel bomb killed 52’, says Pakistan, accessed and downloaded on 31/03/2015 at: www.telegraph.co.uk/news/worldnews/asia/pakistan/3041148/Islamabad-Marriott-hotel-bomb-killed-52-says-Pakistan.html

34)   Berrett-Koehler, Siebert, A. (2005), ‘The Resiliency Advantage’, New York, Practical Psychology Press

35)   Mitroff I, with Anagnos, G., (2001), ‘Managing Crises Before They Happen’, New York: Amacam Books

36)   Ibid.

37)   Stephanopoulos, G., (1999), ‘All Too Human: A Political Education’, Boston, Little Brown

38)   W. Timothy Coombs (2007), ‘Crisis Management and Communications’, Institute for Public Relations

39)   Ibid.

40)   The City of London i-modus scheme is run by the communications firm, Vocal, on behalf of the City of London Police

41)   Cohen, J.R. (1999), ‘Advising clients to apologize’, S. California Law Review, 72, 10009-131

42)   Tyler, T., (1997), ‘Liability means never being able to say you’re sorry: Corporate guilt, legal constraints, and defensiveness in corporate communication’. Management Communication Quarterly, 11(1), 51-73

43)   Hearit, K. M., (1994) ‘Apologies and Public Relations Crises at Chrysler’, Toshiba, and Volvo’, Public Relations Review, 20(2), 113-125

44)   Kubler-Ross, (1969), ‘On Death and Dying’, Routledge, ISBN 0-415-04015-9

45)   Argenti, P., (2002), ‘Crisis Communication: Lessons from 9/11’, Harvard Business Review, 80(12), 103-109

46)   Author interview with senior director of corporation impacted by 9/11 conducted in New York during September 2014.

47)   Op. Cit., W. Timothy Coombs

48)   Berto, E., (02/08/2011), ‘Crisis communications lessons from the News of the World scandal’, was accessed and downloaded on 31/03/2015 at: http://blogs.waggeneredstrom.com/thinkers-and-doers/tag/journalist/

49)   Facebook George W. Bush page was analysed and accessed on 27/11/203 at: https://en-gb.facebook.com/georgewbush Facebook FEMA page was analysed and accessed on 27/11/2013 at: www.facebook.com/FEMA. Facebook Long Island Pulmonary Hypertension Support Group was analysed and accessed on 27/11/2013 at: www.facebook.com/LongIslandPHSupportGroup Facebook Miley Cyrus page was analysed and accessed on 27/11/2013 and 31/03/2015 at: https://en-gb.facebook.com/MileyCyrus Facebook Barack Obama page was analysed and accessed on 27/11/2013 and 31/03/2015 at: www.facebook.com/barackobama Facebook Russell Brand page was analysed and accessed on 27/11/2013 at www.facebook.com/RussellBrand Facebook US Military page was analysed and accessed on 27/11/2013 at: www.facebook.com/USMilitary Facebook 10 Downing Street page of David Cameron was analysed and accessed on 27/11/2013 at: www.facebook.com/10downingstreet

50)   Red Cross (2012) The American Red Cross and Dell Launch First-Of-Its-Kind Social Media Digital Operations Center for Humanitarian Relief, accessed and downloaded on 31/05/2012, available at: www.redcross.org/portal/site/en/menuitem.94aae335470e233f6cf911df43181aa0/?vgnextoid=1cc17852264e5310VgnVCM10000089f0870aRCRD

51)   CSARN (2012), Security Viewpoint (1) ‘The role of social media in emergencies’, downloaded from the CSARN.org website on 02/12/2013 from: http://news.csarn.org/2012/07/csarn-security-viewpoint-1-the-role-of-social-media-in-emergencies.html

52)   Department of Homeland Security (2011) Written Statement of Craig Fugate, Administrator, Federal Emergency Management Agency, before the Senate Committee on Homeland Security and Governmental Affairs, Subcommittee on Disaster Recovery and Intergovernmental Affairs: ‘Understanding the Power of Social Media as a Communication Tool in the Aftermath of Disasters’, accessed on 31/05/2015 at: www.dhs.gov/ynews/testimony/testimony_1304533264361.shtm

53)   Sutton, J. Palen, L. Shklovski, I. (2008) Backchannels on the front lines: Emergency uses of social media in the 2007 Southern California Wildfires. Colorado: University of Colorado

54)   Lindsay, B. (2011) Social Media and Disasters. Washington DC: Congressional Research Service

55)   55) Sikich. G., (2010), ‘Enterprise Risk Management Lessons from the BP Deepwater Horizon catastrophe’, Continuity Central website, accessed and downloaded on 23/11/2013 from: www.continuitycentral.com/feature0790.html

56)   Ibid.

57)   BCI (2013), ‘Good Practice Guidelines’, can be accessed via the BCI website at: www.thebci.org/index.php/resources/the-good-practice-guidelines

58)   PAS 200:2011 Crisis Management (2011), ‘Guidance and good practice’, London: BSI, can be accessed via the BSI shop at: http://shop.bsigroup.com/en/ProductDetail/?pid=000000000030252035

59)   ISO News (21/12/2011), ‘New ISO standard for emergency management’, was accessed and downloaded on 01/04/2015 at: www.iso.org/iso/home/news_index/news_archive/news.htm?refid=Ref1496

60)   ISO 22301:2012 (2012), ‘ Business continuity management systems - Requirements’, was accessed and downloaded on 01/04/2015 at: www.iso.org/iso/news.htm?refid=Ref1587

61)   ISO 22301 World (n.d), ‘BS25999 and ISO 22301 Introduction’, accessed on 01/04/2015 at: www.25999.info/