Re BMW Crisis Planning

By Peggy Kelly,2014-04-11 04:46
7 views 0
WhilstCorporate' would require aCrisis Management' plan in place, Logistics), this is not far removed from normalCorporate' requirements, however,

Author: Peter Speight

    Crisis & Contingency Planning is Part of the Risk Assessment Cycle

Peter Speight

Crisis Management is a systematic response to unexpected events that threaten the people,

    property and operating continuity of the organisation.

In my opinion, one of the leading authorities in this area is Peter Consterdine of Future Global

    Plc who wrote ‟Crisis Management builds upon the practises of emergency management, the

    principles of risk management, and the elements of risk and crisis communications, the

    concepts of business continuity and contingency planning and security considerations.‟ (Consterdine, 2005)

Research shows that only 25% of U.K. organisations have a regularly tested disaster-based

    business plan. Even fewer have run full scenario testing of other, core recovery plans.

    Companies that cannot demonstrate clear and comprehensive risk management strategies

    will be penalised by an already harsh insurance market. Conversely, insurance companies

    may lower premiums they charge if they can be convinced that a disaster recovery plan is

    adequate. Company officers are increasingly held liable for such issues as „Corporate Killing‟.

    Clearly most organisations are only prepared to deal with emergencies at the incident site,

    and often, due to legislative requirements, for example, fire, and evacuation plans/drills.

„The systematic models of Turner and Perrow appear to suggest inevitability for

    organisational failure. The homeostatic model (Adams, 1995) suggests that an unconscious

    or instinctual need to create risk will always balance out against those that are eliminated.

    Problems with risk, irrationality and the complexities of social communication and regulation

    again point to the need for more resources applied to response, rather than prevention.‟

    (Borodzicz, 2005, p.73) „Prevention, where possible, is always better than the response after things have gone wrong. In the complex world we now inhabit, a failure to be able to respond

    to failure is of equal concern.‟ (Borodzicz, 2005, p.73)

There is a lot of groundwork to do, particularly in establishing the capabilities at any

    location/locations to manage/execute a crisis plan. Firstly, somebody would need to define

    the Objectives & Principles e.g. the definition of a crisis, but not specify or categorised the

    range of threats they feel need consideration they may say “a company faces several

    threats that could cause crisis within the UK and all other subsidiary companies”.

And the tasks will normally include: -

? All site risk assessments

    ? Preparation of Crisis & Contingency Manual

    ? Establishing a suitable Crisis Management Room

    ? Training

    ? Scenario-based testing

Within the manual, it is necessary to develop some specific „Action Guidelines‟re, say,

    Abduction, Product Contamination, Extortion, Bomb Alerts etc. If the sites include

    manufacturing facilities, I believe it is essential to develop a „Disaster Manual‟, and if we

    are dealing with an ex-pat community in a Third World geography, then „Evacuation‟ must

    be dealt with.


Author: Peter Speight

    My thinking is that „base level‟ procedures are put in place for emergency management.

    Whilst „Corporate‟ would require a „Crisis Management‟ plan in place, avoidance of a crisis usually depends upon the management of emergencies, so as to prevent them turning into a crisis. It is necessary to detail a whole range of potential incidents, roll some up into the Security Manual, with site guidance instructions and then ensure that the emergency communication up the line - is well established.

    Consideration needs to be given for a separate „Communication Manual‟ and the question asked „can this aspect of crisis management be adequately covered in the main crisis manual‟?

    In terms of „structural characteristics‟, it is of vital importance to the „emergency management system‟ that it has the same structure at site, company, country etc with

    clearly defined job descriptions, defined competencies, tasks and processes.

    My preferred structure for a team consists of Director, Co-ordinator and three core modules (Communication, Data/Documentation, Logistics), this is not far removed from normal „Corporate‟ requirements, however, the recommendation would be that the country M.D. should be the Head/CMT and you may need to evaluate this.

    Another area for discussion is there a requirement for site „Emergency Response Teams‟ and, if so, how constituted! Additionally, there will need to be alert states and a process put in place whereby intelligence from whatever source is constantly evaluated so as to keep the „Alert‟ systems relevant and timely.

    „Any Emergency Management‟ should be designed to allow mobilisation of the right resources with the relevant expertise for the problem at hand i.e.

? Facilitate full concentration on emergency management tasks

    ? Allow business to continue as normally as possible

    ? Enable „the company‟ to show competence in the face of the unexpected

    Corporate Communications need to be involved; certainly in the preparation stage and their future involvement will be defined by evaluation. Certainly, they should be part of an issue-tracking network, whereby any issue with a potential impact to the company is identified and transmitted to the Emergency Management Co-ordinator. They may also co-ordinate „advocacy‟ activities in defence of the company‟s positions. Ideally, they should fulfil the following 3 requirements: -

? To signal trends for potential issues identification

    ? To provide support for issue preparedness

    ? To provide advocacy support


    At this juncture, it is important to consider the wider issues of crisis management as they extend to the recovery and continuity issues. It is not sufficient for those who may be involved in the management of a crisis, even if handled successfully, to pat themselves on the back and consider the job well done and concluded. Often the conclusion of the crisis is the start of the eventual restoration of business functions.


Author: Peter Speight

    The planning for business continuity extends the work on emergency handling and crisis

    management and recognises that successfully handling incidents and events is only part

    of the overall requirement to get a business back up and operating as before. The

    objective of business continuity is to return the organisation to normality as quickly and as

    expediently as possible, with minimum losses.

Business Continuity Planning (BCP); understands the business and establishing what is

    vital for it‟s “survival following a major disaster affecting normal operations”

BCP can be viewed as a four-stage cycle:

    1. Mitigate to reduce and manage risks

    2. Readiness all measures which need to be in place, especially planning, warning


    3. Response the management of the emergency, or crisis.

    4. Recover once the incident is over (or even during), the continuity plan should

    identify the requirements for the return to normality.

    It can be seen from the above the natural overlap which occurs between the

    identification of risks, their management by means of security analysis and necessary

    adjustments outlined in the security strategy, the establishment of the crisis plans and

    the implementation of business recovery strategies.

    Business continuity is about establishing key processes and business functions and

    what resources departments will require and within what time scales, to re-commence

    those processes and functions that have been determined as critical to the business.

    Organisations have many dependencies, both internal and external, which support their

    critical processes and functions. These may include, but not exclusively, suppliers,

    customers, I.T. systems and manufacturing processes. The critical needs of

    departments need to be analysed and ranked in order of importance, for example:




    Each functional area of the organisation should be analysed to determine the potential

    consequences and impact associated with several disaster scenarios. The assessment

    process should also evaluate the safety of critical documents and vital records.

This assessment is carried out by means of the Business Impact Analysis (BIA). The BIA

    is the second stage of the crisis/disaster recovery process and it identifies what would be

    the impact on the organisation‟s goals if critical processes and functions were disrupted or

    lost. The BIA enables the organisation to focus BCP activities on essential business


Mitigation is primarily about managing and reducing risks whatever their source and can

    be covered with the Risk Assessment & Security Audit process.

Readiness is the „in-house‟ insurance policy and covers all the preparedness measures,

    notably planning. It includes internal warning systems, communications, control teams,


Author: Peter Speight

    equipment & resources, casualty procedures, essential services, media policy, critical

    records and welfare arrangements.

Security too, is part of readiness and terrorist activities should serve to sharpen awareness

    of it. With the production of the Security Manual, this aspect of „Readiness‟ should be in

    progress? A well-conceived security plan based on sound intelligence, business acumen

    and common sense provides protection and ensures an appropriate response to criminal

    incidents other than terrorism.

This process involves a great deal of work, not just in the composition of the Manual, but in

    its integration with „site‟ procedures and subsequent training and education procedures.

„Major crises – from Challenger, Bhopal, Tylenol or Chernobyl to Exxon Valdez and Braer

    are no longer exceptional events. Indeed the risk of crisis is even becoming structural as

    large networks become more complex, more vulnerable and more independent … crises

    continue to become more frequent and destabilising.‟ (Lagadec, 1993, p.45)

Lagadec is not alone here: as crises become more numerous, visible, and calamitous,

    organisations have no choice but to accept them as inescapable reality that must be factored

    into their planning and decision making. (Lerbinger, 1997


„Are a serious disruption to life, with little or no warning, causing or threatening death or

    serious injury to such numbers of persons, in excess of those, which can be dealt with by the

    public services, operating under normal conditions at that time. Which calls, therefore for

    special mobilisation and organisation of those services.‟ (Wilson, JQ. & Slater, T, 1990, p.6)

We only have to look at a selection of past incidents, which made world news, such as the

    deaths of the Apollo Space Capsule Crew who perished in a fire during practice drills in

    January 1967, and the crew of the Soyuz XI Space Capsule who died following the capsules

    decompression during the re-entry in June 1971.

Other examples clearly illustrate our inability to accurately predict the probability of disaster

    scenarios occurring. For example, Three Mile Island, 26th April 1986, Piper Alpha, 6th July

    1988; and the explosion in Guadalajara, 22nd April 1992, to mention but a few. Other

    disasters like the San Francisco Earthquake, 18th April 1986; the Bangladesh floods in

    September 1988; and Hurricane Andrew in August 1992, remind us that nature has the

    power to create even greater mayhem.

Therefore, the faith that of an organisation was able to prevent or provide mechanisms which

    would help prevent the losses sustained from such events was for many managers in the

    past simply not credible. As a result, it can be argued their efforts were focused upon

    protecting their organisations through the purchase of insurance.

An example of such management was the tragic fire at the Bradford City Football Stand on

    Saturday 11 May 1985, when over fifty people lost their lives. As early as August 1969, the

    Fire Prevention Association had published an article in the Journal (No 83: pp 322-324)

    giving details of several fires that had taken place in football stands, like the one at Bradford

    and warned of the fire risk associated with them.


Author: Peter Speight

    If this information had been brought fully to the attention of the security management team at Bradford City, they could have acted upon that risk and the incident averted. This is one area where both roles could combine to prevent risk.

    Over the years, research has been carried out into disasters and large-scale accidents. It was found that many do display similar features and characteristics. Some organisations now realise that it is possible for them to take positive steps that will significantly reduce their risk. This, to some extent, is based on the fact that insurance coverage cannot be purchased for many of the risks that organisations face, for example, gradual pollution and security managers must assess these risks and use information to devise and implement strategies.

    Unfortunately, from one perspective, risk management can be envisaged as being similar to sooth saying and prophecy, in so far as the general idea is to forecast what potential misfortunes the future might hold for an organisation and then try to prevent them from occurring. As a consequence, many managers in the past appear to have held, and in some cases still do hold, the belief that risk management is some kind of secret, a form of black magic, and that it is an undertaking outside `normal' management practices.

    Opinions are however being changed; the recent developments show advantages to be gained through the appropriate management of risk. It can also be argued, that once an organisation has recognised risk management and security input as they now increasingly seem to do they are in a position to improve their financial performance by either preventing or reducing the potential losses to which they are exposed, again both functions coming together to make one collective decision. Brian Toft, in his publication, Trends and Developments in Risk Management supports this line of thinking.

    There is, it seems, a decision by corporate management to engage in this kind of strategy and there will be a strong message to the security manager that the risk profile has changed. In light of this, the security manager will need to review current and projected security measures based upon this new security risk or threat assessment.


    „It is argued that many of the popular ideas regarding the underlying causes of

    technological disasters are myths. Examples include the view that such events are the product of divine wrath, or are solely technical in nature. The former suggests we cannot learn from these events, since divine intervention is inexplicable, while the latter suggests that an engineering solution will of itself be sufficient to prevent a recurrence of the incident.‟ (Toft & Reynolds, 2005, p.12)

„However, much research suggests that the underlying causes of catastrophes are far

    more complex than the simple explanations generated by such beliefs. Subsequent analysis of these events reveals that their underlying mechanisms invariably have organisational and social dimensions, while technological factors are sometimes, but not always present. Utilising the theoretical framework of systems theory, and the concept of organisations as socio-technical systems, analysis allows technological disasters to be more appropriately understood as a result of human rather than divine actions. Similarly, this mode of analysis flags up the more complex socio-technical nature of these events as opposed to the exclusively technical.‟ (Toft & Reynolds, 2005, p.12)


Author: Peter Speight

    „Turner rightly argues that in the search for some general principles to aid our

    understanding of disasters it is better to think of the problem of understanding disasters as

    a „socio-technical‟ problem with social organisations and technical processes interacting to

    produce the phenomena to be studied.‟ (Turner, 1978)

The late Professor Barry Turner was highly influential in the understanding that disasters

    do not simply just happen, but that they usually are incubated during a socio-technical

    operation of a system. He also went further and developed a disaster sequence model,

    where he described the six stages of a disasters life cycle.

The six stages of Turners disaster model are as follows:

    Stage 1 Notional Normal Starting Point: (a) Initially culturally accepted beliefs about the world and its hazard

    (b) Associated precautionary norms set out in law, codes of practice, mores and folkways.

    Stage 2 The Incubation Period: The accumulation of an unnoticed set of events which are at odds with the accepted

    beliefs about hazards and the norms for their avoidance.

    Stage 3 Precipitating Event: Forces itself to the attention and transforms the general perceptions of Stage 2.

    Stage 4 Onset: The immediate consequence of the collapse of cultural precautions becomes apparent.

    Stage 5 Rescue and Salvage: First stage adjustment the immediate post-collapse situation is recognised in ad hoc

    adjustments, which permit the work of rescue and salvage to be started.

    Stage 6 Full Cultural Readjustments: An injury or assessment is carried out and precautionary norms are adjusted to fit the

    newly gained understanding of the world.

     (Turner, 1978)


    A Crisis Management Programme is what provides the integrated crisis management

    capability through planning, organisational development, training, exercising and

    continuous improvement at each level of the organisation. The prime purpose of this is to

    provide the framework, which will enable the organisation to cope efficiently and effectively

    in times of emergency.

It is through crisis management training, planned prevention and immediate response that

    reduce losses, so as to keep a company operational and productive. Simple plans, with

    basic procedures can give people an outline for decisions and a support framework for fast


The development of a „Crisis Management Plan‟ is to include areas such as, Incident

    Handling and Business Continuity, are designed to provide the outline for decision making

    and provided support framework described.


Author: Peter Speight


    Risk Management is increasingly becoming a key issue in the protection of the reputation and brand values of many organisations. With an increased understanding of the threat potential and more complex research data available, organisational awareness has improved considerably over the last ten years.

    With the variety of corporate legislation which now exists, affecting the behaviour, performance and governance of organisational activities and a new culture emerging of no win, no fee insurance implications with regard to the threat potential have spiralled to previously unthinkable levels.

    However, with the advancements in technology and the inevitability of an organisational failure, resulting in major losses, many businesses are still failing to fully comprehend the advantages, which could result from having a proactive approach to Security and Risk Management.

    Risk Management is not the ability of hindsight or some form of black magic but it represents the organisational awareness to the potential threats, which may affect their stability. By being able to identify the „Pure‟ or „Speculative‟ risks, which may exist, an organisation can systematically protect their resources, income and reputation.

    Many insurance companies are no longer prepared to expose themselves without first asking the question, what has an organisation done or could have reasonably done towards prevention. This has resulted in many larger organisations self insuring thus increasing their potential for a catastrophic failure. Insurance companies ask the question for a perfectly good reason; their risk increases with organisations that have neglected to consider the potential for organisational failure.

    With the introduction of Corporate Governance by the Institute of Chartered Accountants in England and Wales, making Directors responsible and companies compliant has assisted in elevating the awareness towards the implementation of Risk Management Strategies.

    The identification, analysis, measurement, control and financing of the risk allows organisations the ability to evaluate their vulnerabilities and balance the risk against the cost of the counter-measures required to direct their response to the threat potential.

    Peter Speight MSc PgD IOSH MIRM MsyI is Director of Security Risk Management for Reliance Security Services.


Report this document

For any questions or suggestions please email