Haris Hamidovic, CIA, ISMS IA, ITIL, IT Project+
“Businesses operate in an increasingly risky environment.”1 As an illustration, research shows that more than 60 percent of small and medium-sized enterprises (SMEs) in Switzerland and in the European Union (EU) experience some form of disaster.2
Creating and maintaining a business continuity plan increases awareness of threats, prepares the organization for potential disruption and helps ensure that the organization has the resources and information needed to deal with such emergencies.3
For setting up and managing an effective business continuity management system, an organization needs to define a risk assessment process that will enable it to understand the threats and vulnerabilities of its critical activities and supporting resources. It is necessary to assess the impact that would arise if an identified threat became an incident and caused a business disruption.4
For each of its critical activities, an organization should determine potential loss mitigation and risk treatments that:5
Nevertheless, one should bear in mind that risk events are about the future, which cannot be predicted. Regardless of the time spent, one simply cannot identify all risk in advance. The best one can do is to make educated guesses preparing for the most likely happenings that will make the biggest impact on the organization.6
Risk that is not identified, or at least not identified with the scale and intensity it presents, can produce a crisis. Crises may also be the product of an unforeseen combination of interdependent risk. They develop in unpredictable ways, and the response usually requires genuinely creative, as opposed to prepared, solutions.7
The roles of strategic management are amplified during a crisis. They are likely to include direct intervention and decisive strategic leadership that cannot be preconceived. They may even include strategic repositioning of the organization as a whole, and for that reason, crisis management is the domain of top management.8 Organizational change is about making alterations to the organization’s purpose, culture, structure and processes in response to seen or anticipated changes in the environment, which can be especially significant during a crisis. Strategic management of change is all about identifying and embedding in the organization those changes that will ensure the long-term survival of the organization.9
Publicly Available Specification (PAS) 200:2011 Crisis management. Guidance and good practice, recently published by the British Standards Institution, is a practical guide to establishing good practice on crisis management. It provides guidance to help organizations of any size or sector develop and implement a crisis management capability. This article introduces some of this guide’s recommendations.
PAS 200:2011 defines a crisis as an “inherently abnormal, unstable and complex situation that represents a threat to the strategic objectives, reputation or existence of an organization.”10
“Crises are not synonymous with incidents, and it is argued that their management presents special challenges that require different approaches.” PAS 200:2011 clarifies that “incidents are said to have ‘structure’ because they are produced by identifiable and assessable risks and present themselves in fairly predictable ways.” Furthermore, “as with the majority of risks that concern business continuity management (BCM) planning, even the most challenging and serious incidents generally lend themselves to preprepared responses.”11
Crises could stem from an incident, but not necessarily.12 Some suggest that one can “assume that a crisis is reached when the organization moves beyond its abilities to contain the task demands of the ‘event’ and it escalates still further beyond the limits of contingency plans.”13 (See figure 1).
Because crises are not synonymous with incidents, PAS 200:2011 explains that crisis management is very different from incident management: “[Crises] develop in unpredictable ways, and the response usually requires genuinely creative, as opposed to preprepared solutions. Indeed, it is argued that preprepared solutions (of the sort designed to deal with more predictable and structured incidents) are unlikely to work in complex and ill-structured crises. They may, in fact, be counterproductive.”14
As crisis management is about making major strategic decisions in abnormal, unstable and complex situations, a lengthy and complicated manual of the sort familiar to incident managers would be more of a hindrance than a help. The crisis management plan “is not a guide as to what to do next in a given situation” but rather a framework in which good decisions can be taken.15
Due to the limitless types of crises,16 for better analysis, these can be divided into two main categories: industrial and natural crises. “It is necessity to make this distinction as natural crises are created by acts of nature, whereas industrial crises are situations in which organized industrial activities are the source of major damage to human life and natural and social environments.”17
From a different perspective, PAS 200:2011 suggests a crisis typology of sudden and smoldering crises. Sudden crises “are characterized by their immediate onset. They tend to be unanticipated and escalate very quickly, often as a result of a severe triggering event or incident that may be out of the organization’s control,”18 while smoldering crises are those for which the “common feature is that impact on the organization and its stakeholders grows, sometimes undetected, over a period of time, whilst indicators of potential crisis are possibly missed, denied, ignored or misunderstood.”19
It is generally accepted in the literature of crisis management that most crises are of the smoldering type. This makes a good case for developing a facility for systematic examination of potential threats, opportunities and future developments, which may have the potential to create new risk or change the character of risk already identified, so that potential and emerging threats may be identified, assessed and mitigated as early as possible.20
PAS 200:2011 is very clear that it is not prescriptive about solutions. There are no checklists and nor should there be, as good practice in crisis preparedness is something that each organization needs to develop within the unique context of that organization. PAS 200:2011 provides a framework within which a company can do this thinking. In particular, PAS 200:2011 provides “the four basic requirements of capability:”21
Before they occur, the majority of crises sends a trail of early warning signals, which announce the possibility that a crisis will take place;22 these signals are sometimes very weak or hard to detect. The following are some limitations of the crisis warnings:23
Companies, similar to individuals, try to deny their weaknesses. The reasons why organizations do not engage in a proper crisis management are often:24
Too few organizations take crisis management into account. The capability to manage crises should not be seen as something that can simply be developed as and when needed. The development of the crisis management capability requires a systematic approach.
In developing the crisis management capability, there will be many opportunities for synergy with ordinary business management processes, business continuity arrangements, information security and incident management activities.
Organizations should actively learn from crises that affected the organization or other organizations.
Furthermore, recovery from crisis should be seen as an opportunity to regenerate, restructure or realign an organization. The essence of recovery should not be necessarily a return to previous normality. It may mean moving toward a model of business and organizational structures that represent a new normality.
1 British Standards Institution, Business continuity management and risk management. The role of standards, 20112 Dawes, Terry; Wolfgang Mahr; Business Continuity for SMEs, BRaC-2020/Terry Dawes Consulting, 20113 Ibid. 4 British Standards Institution, BS 25999-2:2007 Specification for business continuity management, 20075 Ibid.6 Hubbard, Larry; “Skip the Numbers: Assessing Risk Is Not a Math Game!,” New Perspective, February 2009 7 British Standards Institution, PAS 200:2011 Crisis management. Guidance and good practice, 20118 Ibid.9 National Defense University, “Strategic Leadership and Decision Making,” www.au.af.mil/au/awc/awcgate/ndu/strat-ldr-dm/pt4ch19.html10 Op cit, British Standards Institution, PAS 200:201111 Ibid.12 The potential origins of crises are diverse. For example, they may be externally generated by changes in the business, political or social environment within which the organization operates, or derived from breaches (perceived or actual) of standards of probity, ethics or corporate responsibility. (PAS 200:2011)13 Smith, D.; D. Elliot; Key Readings in Crisis Management, Routledge Publishers, USA, 2006, referenced in Yap, Kwong Weng, “Managing Ahead of Crises: Rising Towards a Model of Adaptability,” Pointer Monograph No. 7, 200914 Regester Larkin; RL Assessment of PAS 200, 201115 Ibid.16 Cretu, Paula Madalina; Jonathan Puentes Alvarez; Managing Organizational Crises in the Light of Political Unrest, Linköping University, 201017 Smith, D.; D. Elliot; Key Readings in Crisis Management: Systems and Structures for Prevention and Recovery, 1st Edition, Routledge Publishers, 2006, referenced in Cretu, Paula Madalina; Jonathan Puentes Alvarez; Managing Organizational Crises in the Light of Political Unrest, Linköping University, 201018 Op cit, British Standards Institution, PAS 200:2011 19 Ibid.20 Ibid.21 Ibid.22 Mitroff, I. I.; G. Anagnos; Managing Crises Before They Happen: What Every Executive and Manager Needs to Know About Crisis Management, American Management Association, 2001, referenced in Cretu, Paula Madalina; Jonathan Puentes Alvarez; Managing Organizational Crises in the Light of Political Unrest, Linköping University, 201023 Seeger, M. W.; T. L. Sellnow; R. R. Ulmer; Communication and Organizational Crisis, Preager Publishers, 2003, referenced in Cretu, Paula Madalina; Jonathan Puentes Alvarez, Managing Organizational Crises in the Light of Political Unrest, Linköping University, 201024 Op cit, Mitroff
Haris Hamidovic, CIA, ISMS IA, ITIL, IT Project+, is chief information security officer at Microcredit Foundation EKI Sarajevo, Bosnia and Herzegovina. Prior to his current assignment, Hamidovic served as IT specialist in the North Atlantic Treaty Organization-led Stabilization Force in Bosnia and Herzegovina. He is the author of five books and more than 70 articles for business and IT-related publications. Hamidovic is a certified IT expert appointed by the Federal Ministry of Justice of Bosnia and Herzegovina and the Federal Ministry of Physical Planning of Bosnia and Herzegovina. He is a doctoral candidate in critical information infrastructure protection at the Dzemal Bijedic University, in Mostar, Bosnia and Herzegovina.
Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2012 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.