It’s time to get serious about getting prepared. In 2021, organizations will need to respond more quickly and decisively to critical events, but with fewer resources. Without an end-to-end process to manage these events, it’s nearly impossible to satisfy this mandate.In most cases, organizations are trying to deal with threats using manual processes and disjointed systems. As a result, they are unable to efficiently and effectively manage these events. Plus, organizations are often grappling with too much data, making it extremely challenging to arrive at a basic understanding about what’s going on.With the right plan in place, your organization can prepare for any workplace threat. Here are the five steps to creating a workplace preparedness strategy:
1. Devise a plan
This might seem simple enough, but the plan must be comprehensive in order to be effective. It starts with a general foundation then expands to cover various types of threats. For each type of threat, map your plan to appropriate resources and response activities. Given the types of threats your business may face, you should:
- Appropriately categorize critical events by type, predictability, cause and scope
- Differentiate between routine emergencies and crisis events
- Determine how to deal with each event and who will take the lead
- Tailor your plan depending on the severity of the threat or crisis so you can activate your plan as quickly as possible
When getting started with your crisis management plans, start in order of predictability. For example, if you operate in a hurricane-prone region, start by developing a hurricane plan, including one to deal with office closings. If your business operates in many locations, you should standardize your plans. In today’s mobile world, having digitized plans readily accessible by mobile device is key when responding to critical events while out of the office.
2. Assess your sources of information
With a plan in place, it’s time to assess how well the organization can navigate critical events. One of the biggest issues is not knowing when a threat develops and then not being able to confidently vet what happened.Here are a few different sources of information that you should routinely monitor to stay abreast of critical events:
- Disaster facilities
- Social media
- Cameras on-site
The goal of this assessment is to confirm the threat event and ensure the appropriate team has all needed input and contextual feeds in one place to make the appropriate decisions. That means lining up trusted information sources for all types of risks. This undertaking can get complex, especially in larger organizations. Start by understanding the event in the context of the five key assets: people, buildings, IT systems, supply chain, and brand/reputation.
3. Quantify and prioritize your risks
The next step is to figure out what is critical and what isn’t. Answer the big question: What is the impact and exposure? An effective approach to answering this question is to quantify risk based on:
- The threat
- The threat’s nature
- The organization’s overall vulnerability or exposure
- The overall impact to people, assets, and the business
Unfortunately, it’s not a simple equation. Consider the timeline, which is often dynamic. For instance, it’s not sufficient to ask, “How many employees are in HQ right now?” since employees are constantly on the move. While it’s critical to quantify risk, keep in mind that the impact from a single event can differ across the company and can impact different assets in different ways. For instance, a labor strike in Paris is not a critical event for local employees who know how to deal with it, but it is for traveling employees who aren’t accustomed to this.In other words, context matters and can change the risk profile. The key is to understand risk based on all variables to determine the best response to any event.
4. Identify and locate all stakeholders
Quickly locating, communicating with, and assisting employees and visitors in a crisis is a priority. To that end, typically in any type of critical event, organizations will be dealing with three groups of stakeholders:
- The people who can do something about the event. These people can put context around the situation and can help assess the threat to determine who’s impacted. Some organizations call them responders or resolvers. In larger organizations, this might be an incident response team. When creating a list of responders, organizations should take into consideration schedules, rotations and locations.
- Those impacted. In addition to identifying impacted people, you must know where they are located so you can quickly notify them. Automating communication can save even more time.
- Those needing to know about the event. Who needs to know about the event? Should you wake up the CEO at 2 am? Can you handle the event regionally? Determining this ahead of time is key to reducing the impact of the event.
To avoid alert fatigue or “the boy who cried wolf” syndrome, only inform those who need to know. At the same time, make sure people aren’t bombarded with updates. If possible, let the appropriate people see all necessary information in one place.
5. Analyze performance
The final step is to close the loop by analyzing how well your organization responded. Start your after-action review by trying to understand the following:
- Has this happened before?
- What was the impact?
- What did we do well?
- What could we have done better?
- What slowed us down?
- Who was involved?
- Who responded fastest?
Just remember: the key is to not only perform these reviews but to close the loop by learning from experience and continually improving the plan and response.Creating a strategy gives you a blueprint to be prepared for any type of emergency. As you do this, you’ll mature your processes and find ways to automate the more error-prone or manual steps in your plan.