Crisis simulation is key to good governance

Business continuity, IT continuity, and physical and data security are firmly on the boardroom agenda, thanks to a growing focus on risk governance by legislators and regulators. As a result, more and more attention is being given to formulating plans to protect the business and ensure it can continue trading, no matter what happens.

"But plans are just words on paper until they have been properly tested," says Jaun Harmse, senior business continuity management advisor at ContinuitySA, Africa's premier provider of business continuity management. "Of course, the only true test is an actual disaster, but that's really not the time to find that your crisis plan has some holes! The only prudent course is to undertake a regular crisis simulation."

Harmse says crisis management forms part of the overall strategy for business continuity management, and has two components: the crisis management plan itself and the communications plan. The crisis management plan details the responsibilities in the event of a crisis of key individuals and unit heads within the company, such as the CEO, COO, CIO, CFO and PR officer. In today's world of instant communication and overwhelming media scrutiny, the communications plan is more important than ever to help manage the impact of a disaster on a company's reputation, across its stakeholder community as well as the market as a whole.

For example, compare the proactive communications stance that helped New York's mayor Rudolph Giuliani manage the media storm in the wake of the 9/11 attacks, as compared with the damage caused to the BlackBerry brand by the silence of its owners, Research in Motion, in the wake of the infamous network outage in 2011. The once-proud brand has never recovered.

"Training people how to use the multiple communications channels available in a time of crisis is vital," Harmse argues. "Used properly, communication can help turn a negative event into something positive, but this is not something that can be done on the fly. Immediacy is important, and mistakes have huge ramifications."

Harmse says by their very nature, crisis plans are general because they have to cope with a wide range of possible scenarios. By contrast, the crisis simulation has to be very detailed and specific. Careful research is needed to identify a company's pain points when constructing the script for the crisis simulation, and then a third party is required to monitor what each member of the crisis team does.

"One critical success factor is the quality of the person leading the team: one needs an individual who is confident, able to deal with pressure and can delegate, somebody who can look at the situation as a whole and keep track of all the moving parts," he explains. "Again, the only way to ascertain whether one has the right person in place is to see how he or she performs in the crisis situation."

Crisis simulation is established as part of business continuity management strategies, but, Harmse believes, is also essential when it comes to IT continuity and physical/data security. "Typically, many of the same people are involved in each instance, so it makes sense to see crisis simulation as the way to ensure the company's risk governance is not only in place, but actually works."