Request a Demo

Fill in the form below and we will contact you shortly to organised your personalised demonstration of the Noggin platform.
Request a Demo

Meet Noggin

An integrated resilience workspace that seamlessly integrates 10 core solutions into one, easy-to-use software platform.

Business Continuity
Business Continuity
Operational Resilience
Operational Resilience
Crisis Communications
Crisis Communications
operational risk management
Operational Risk Management
Crisis & Incident Management
Crisis & Incident Management
Third-Party Risk Management
Third-Party Risk Management
Emergency Management
Emergency Management
WHS-hard hat
Safety Management
Investigations and Case Management
Investigations & Case Management
Security - padlock
Security Management

The Noggin Platform

The world's leading integrated resilience workspace for risk and business continuity management, operational resilience, incident & crisis management, and security & safety operations.

Learn More

Industries

Explore Noggin's integrated resilience software, purpose-built for any industry.

Aviation
Aviation & Airports
Construction
Construction
Counter Terrorism
Counter-Terrorism
Care Services
Care Services
Education
Education
Financial Services
Financial Services
Healthcare
Healthcare & Hospitals
Manufacturing
Manufacturing
Mining Oil & Gas
Mining, Oil & Gas
Government
Public Safety & Government
Retail & Hospitality
Retail & Hospitality
Technology
Technology
Transportation
Transportation
Utilities
Utilities
Venues & Entertainment
Venues & Entertainment
Resilience Management Buyers Guide - Thumbnail
A Resilience Management Software Buyer's Guide
Access the Guide

Who We Are

The world’s leading platform for integrated safety & security management.

Learn More
Whitepaper

A Guide to BS 11200 for Crisis Management

Noggin

Crisis Management

Published December 1, 2023

Table of Contents
A corporate crisis management case study

A corporate crisis management case study

Crisis can happen to anyone

The introductory sections of British Standard 11200

Key elements required for building a crisis management capability

Putting it all together: Nine fundamental crisis management principles:

Don’t have time to read it all now?
Download a copy for later

A corporate crisis management case study

As 2016 came to a wrap, it was the best of times for Cambridge Analytica. Backed financially by well-connected billionaires, the British political consulting firm and data company had just seen its most high-profile client, Donald Trump, pull off a political upset for the ages, with many singling out Cambridge Analytica’s services for plaudits.

Fewer than two years later, though, in March 2018, The New York Times reported that Cambridge Analytica had improperly obtained social media giant’s, Facebook’s information on up to 87 million people.

If those revelations weren’t sufficiently damaging, video soon emerged of senior Cambridge Analytica executives confessing to bribing and entrapping politicians, as well as conducting clandestine campaigns through a network of shell companies and sub-contractors.

For a company already ensnared in a high-profile investigation (then-special counsel Robert Mueller’s inquiry into Russian interference in the U.S. presidential election), the cascading ethical and legal questions proved too much. Cambridge Analytica and its parent company, SCL, called it quits just two months after The Times bombshell went to print.

Crisis can happen to anyone

Cambridge Analytica, of course, isn’t the first firm to flounder in the midst of a heavily mediatized crisis – indeed, today’s media landscape seems only to accelerate the speed with which news of a crisis spreads. Nor are high-profile brands the only victims of corporate crisis. 

Crises can affect any company, at any moment. A 2018 Forrester survey found that a full 100 percent of companies studied experienced at least one critical event in the last two years – many firms faced multiplei

What’s more, the impacts of those crises are likely to be felt more acutely by small and medium-sized businesses. For instance, according to the U.S. Federal Emergency Management Agency (FEMA), anywhere between 40 to 60 percent of small businesses in the U.S. close following a natural disasterii

The question remains, though, are organizations prepared to confront what have now become near-inevitable crises? The answer depends largely on whether those firms have developed a best-practice crisis management capability. But there’s the rub. To where are businesses to turn in order to build out their crisis capabilities?

Traditionally, international standards have been the source. And the International Organization for Standardization (ISO) has indeed put out multiple, useful, management system standards in the all-hazards space, including ISO 22320 for emergency management, ISO 22301 for business continuity, ISO 27001 for physical security. However, the body’s ISO 22398 societal security standard is limited in scope to crisis exercises and testing, only one aspect of the fuller incident and crisis management lifecycle. 

Instead, British Standard, BS 11200:2014, provides in-depth, best-practice guidance for crisis management. What does BS 11200 do, exactly? The standard “sets out the principles and good practice for the provision of a crisis management response… [with the intention] to aid the design and/or ongoing development of an organization’s crisis management capability.”

Further, the standard summarizes the core areas of crisis management, setting up themes and key areas that organizations should consider when building or enhancing their crisis management capability. Specifically, it covers core concepts and principles, crisis leadership and decision making, crisis communications, and training, exercise, and learning.

Importantly, the standard isn’t prescriptive in the way that other standards and specifications can be. Written for business owners and managers, it details what capabilities an organization needs in order to consider itself crisisready; firms might have those capabilities already or need to build them out. Either way, let’s delve into what the standard covers. 

The introductory sections of British Standard 11200

Even though crisis is a fact of corporate life, organizations often assume they are immune and thus fail to plan adequately. That is despite the clear risks associated with crisis, i.e. harm to stakeholders, losses for an organization, or even extinction. Intended for senior executives and crisis leadership, alike, the British standard helps organizations recognize the risks, so as to develop contextually-relevant crisis management programs and a core crisis management competence – defined as the
developed capability of an organization to prepare for, anticipate, respond to, and recover from crises.

The core crisis management capability (envisioned by the standard) entails “a forward-looking, systematic approach that creates a structure and processes, trains people to work within them, and is evaluated and developed in a continuous, purposeful, and rigorous way.” To that end, the standard provides guidance for the following:

  • Understanding the context and challenges of crisis management
  • Developing the organization’s crisis management capability through planning and training
  • Recognizing the complexities facing a crisis team in action
  • Communicating successfully during a crisis

Understanding concepts and principles help organizations develop a best-practice crisis management capability, especially since the competency to be developed is not typically part of routine organizational management. A key conceptual distinction that underscores that fact is the relationship between incidents (which organizations might already be prepared to address) and crises (which they usually aren’t, especially without management capabilities being deliberately built and sustained through investment in capital, resources, and time).

Where crises are abnormal, unstable situations that threaten the organization’s strategic objectives, reputation, or viability, incidents are adverse events that might cause disruption, loss, or emergency. Incidents, however, do not meet the criteria for, or definition of, a crisis, as the table below lays out:

Characteristics Incidents Crises
Predictability  Incidents are generally foreseeable and amenable to pre-planned response measures, although their specific timing, nature and spread of implications is variable and therefore unpredictable in detail.  Crises are unique, rare, unforeseen or poorly managed events, or combinations of such events, that can create exceptional challenges for an organization and are not well served by prescriptive, pre-planned responses. 
Onset Incidents can be no-notice or short notice disruptive events, or they can emerge through a gradual failure or loss of control of some type. Recognizing the warning signs of potential, actual or impending problems is a critical element of incident management. Crises can be sudden onset or no-notice, or emerge from an incident that has not been contained or has escalated with immediate strategic implications, or arise when latent problems within an organization are exposed, with profound reputational consequences. 
Urgency and pressure Incident response usually spans a short time frame of activity and is resolved before exposure to longer-term or permanent significant impacts on the organization. Crises have a higher sense of urgency and might require the response to run over longer periods of time to ensure that impacts are minimized. 
Impacts Incidents are adverse events that are reasonably well understood and are therefore amenable to a predefined response. Their impacts are potentially widespread.  Due to their strategic nature, crises can disrupt or affect the entire organization, and transcend organizational, geographical and sectoral boundaries. Because crises tend to
be complex and inherently uncertain, e.g. because a decision needs to be made with incomplete, ambiguous information, the spread of impacts is difficult to assess and appreciate. 
Media scrutiny Effective incident management attracts little, but positive, media attention where adverse events are intercepted, impacts rapidly mitigated and business-as-usual quickly restored. However, this is not always the case and negative media attention, even when the incident response is effective and within agreed parameters, has the potential to escalate an incident into a crisis.  Crises are events that cause significant public and media interest, with the potential to negatively affect an organization’s reputation. Coverage in the media and on social networks might be inaccurate in damaging ways, with the potential to rapidly and unnecessarily escalate a crisis. 
Manageability through established plans and procedures

Incidents can be resolved by applying appropriate, predefined procedures and plans to intercept adverse events, mitigate their impacts and recover to normal operations. 

Incident responses are likely to have available adequate resources as planned. 

 Crises, through a combination of their novelty, inherent uncertainty and potential
scale and duration of impact, are rarely resolvable through the application of predefined procedures and plans. They demand a flexible, creative, strategic and sustained response that is rooted in the values of the organization and sound crisis management structures and planning.

 

Why do these distinctions matter? Well, incidents can, in fact, beget crises. That’s why it’s so crucial that all crisis decision-makers understand all the traditional ways in which crises come to be. That list includes: 

  • Extreme disruptive incidents that have immediately obvious strategic implications. These can arise from serious acts of malice, misconduct or negligence, or a failure (perceived or actual) to deliver products or services that meet the expected standards of quality or safety.
  • Those stemming from poorly managed incidents and business fluctuations that are allowed to escalate to the point at which they create a crisis.
  • The emergence of latent problems with serious consequences for trust in an organization’s brand and reputation. Problems can incubate over time, typically as a result of:
    – A lack of governance allowing gradual and incremental slippages in quality, safety or management control standards to go unchecked and become accepted as a normal way of working 
    – Convenient, but unofficial, “workaround” strategies becoming the normal routine due, for example, to overcomplicated processes, unrealistic schedules, chronic personnel shortages and lax supervision 
    – Flaws in supervision and process monitoring, which promote an expectation of “getting away with” undesirable behaviors or being able to survive minor failures without reporting them, or over-reliance on controls to catch all errors, rather than an expectation of quality checks that catch only occasional problems
    – Blame cultures that encourage risk and issue cover-ups and the lack of a shared sense of mission and purpose, which generate a defensive (if not actually hostile) “them and us” attitude between staff and management, between different parts of the organization and between the organization and external interested parties
    – Poor training and development of staff and managers, or incremental loss of skills and knowledge. 

Key elements required for building a crisis management capability

Definitions aside, organizations need to take an intelligence-gathering and constant-monitoring approach to building their crisis management competency. That approach largely aligns with the life cycle understanding of crisisiii.

This cyclical mode of crisis management tends to be more strategy-oriented than the tactics-first approach implicit in popular tri-partite frameworks that include the pre-crisis, crisis, and post-crisis stages. The British standard itself adopts a fairly cyclical framework, including the following stages:

  • Anticipate.
    Identify potential crises.
  • Assess
    Analyze evidence and make judgments about potential impact and actions required.
  • Prepare
    Ensure the readiness of the organization to face high-probability crises as well as crises that are not foreseen.
  • Respond.
    Act quickly in an informed manner.
  • Recover.
    Sustain crisis response into a longer term, strategic effort to recover reputation and value. 
  • Review and learn.
    Analyze and reflect on the experience of validations, testing, and exercising, the management of crises, and the experience of others in managing crises. 
    graph 1_orange-01

The first three (largely pre-crisis) stages all point to the need for effective crisis management planning, which the standard tackles, in turn. Because, while organizations may no longer think they’re immune to disaster, they
don’t often act with sufficient urgency. Specifically, they don’t prepare themselves adequately for even the most likely crisis events. For instance, although 90 percent of organizations are confident in their crisis management capabilities, only 17 percent have actually performed the simulation exercises that would suggest crisis preparednessiv. Similarly, 70 percent of organizations are confident in their ability to manage a product recall, but only 22 percent have performed the appropriate simulationsv. Additionally, a majority of corporate communicators say that their company either lacks a crisis communications playbook (48 percent) or are unsure of whether they have one (12 percent)vi. 

What, then, does crisis management preparedness via a best-practice crisis management plan (CMP) entail, according to the standard? For one, the CMP is a response document, focused on the provision of a generic response capability. Further, the CMP should be as concise as possible so as to ensure that it is exercised and readily understood, should a crisis break out. The document itself will typically lay out the following information:

  • Who has authority and responsibility for key decisions and actions in a crisis
  • Key contact details: how staff are to be contacted in the event of a crisis
  • Crisis communications (internal and external)
  • The activation mechanism for a crisis and how it works in practice
  • Details of levels of response across the organization (i.e. who is to be contacted for what level of a problem) and flow chart showing the sequence of actions
  • The structure and role of the CMT and what is expected of it
  • Where the CMT is to meet (with alternative locations) and what equipment and support are required
  • Key templates (such as CMT meeting agenda and logbook)
  • Log-keeping guidance
  • A situation report template which is to be used across the organization

As mentioned, a key element of the CMP effort is constituting the crisis management team, starting with a Chair who will take the lead in executing the plan itself. As for the remainder of the core crisis management team, the BS standard recommends senior managers from the company’s most important business units: Finance, HR, Operations, IT, Communications, in addition to specialized roles like Log Keeper, Support, etc. (see below).

Best-practice composition of your crisis management team

graph 2_orange-01

Among the duties ascribed to the CMT Chair is planning for decision making in crisis, in other words, “the process that leads to the selection of a course of action for more than one alternative option.” Why does crisis decision making matter? Well, crisis decision making, as the standard states, is often underestimated, ignored, or unknown. And when crisis actually strikes, it moves quickly. Quick decisions are required, with those decisions being made in a high-stakes environment (possibly the highest), where information is limited, stress is acute, and scrutiny is intense. 

Teams rarely make decisions in those conditions, which is why CMT Chairs must rehearse crisis decision making with teams. Fortunately, the BS standard offers the following recommendations for improving the effectiveness of strategic decision making in a crisis:

  • Implement, at an organizational level, policies, structures (teams and roles), plans, processes, and tools to support the organization’s crisis management capability as a whole and the CMT, in particular.
  • Gain experience in crisis decision-making environments as individuals and teams.
  • Train CMT members in the use of decision techniques to reduce the effect of uncertainty on their cognitive abilities.
  • Recognize the signs of weak decision making, including a failure to challenge evidence, assumptions, methods, logic, and conclusions, and the adoption of measures to provide alternative perspectives.

As prescribed, training members in the use of crisis decision techniques to reduce the effect of uncertainty on their cognitive abilities provides valuable trial and error learning, in a relatively controlled setting. This training helps to ensure that all team members are comfortable performing the tasks assigned to them and even going off-script as the situation demands. 

The same logic applies to coordinating planning and training efforts with third parties, e.g. key business partners, major suppliers, and public safety agencies, who might also be called in in the event of a crisis. 

The standard recognizes the fact that too few companies make the effort to engage third parties, especially public safety agencies, before crisis strikes. Even mature crisis management teams don’t check to see if their crisis management technology actually syncs with the solutions used by large rescue and response outfits.

Putting it all together: Nine fundamental crisis management principles:

  1. Achieve control as soon as possible
  2. Communicate effectively, both internally and externally
  3. Be prepared with clear, universally understood structures, roles, and responsibilities
  4. Build situational awareness by good information management, challenge and collective working
  5. Have a clear and well-rehearsed decision-making and action driving process
  6. Effective leadership at all levels of the organization
  7. Ensure people with specific crisis management roles are competent through appropriate training, exercising, and evaluation of their knowledge, skills, and experience
  8. Maintain a comprehensive record and policy log of all decisions taken, including the facts known at the time and any assumptions made
  9. Learn from mistakes and make changes to prevent their reoccurrence

Finally, a comprehensive, yet flexible standard, BS 11200 proves a surefire means to develop a best-practice crisis management capability at your organization. And not just that: by clearly setting out the principles and practices that enable effective crisis response, the standard aids in the ongoing development of that capability, as well. So, turn crises into growth opportunities by applying BS 11200 at your organization. 

But don’t stop there. Management system standards often require management software to ensure efficiency in their application. Crisis management is no different, with flexible corporate crisis and business continuity management solutions, like Noggin Crisis, helping response teams and decision makers confront every stage of the crisis and business continuity management lifecycle with the tools and information they need to know what’s happening, collaborate quickly and effectively, make better decisions, and enact the right plans to take action when it counts the most.

Citations

i Available at Forrester, Forrester Opportunity Snapshot: Take a Unified Approach To Critical Event Management.

ii Federal Emergency Management Agency: Make Your Business Resilient. Available at https://www.fema.gov/media-library/assets/documents/108451.

iii Dawn R. Gilpin, Priscilla J. Murphy: Crisis Management in a Complex World. Available at https://books.google.com/booksid=_7rW6w7duDUC&pg=PA19&lpg=PA19&dq=crisis+management+lifecycle&source=bl&ots=jwJDoU7dfa&sig=BCQOC9MNz632lPo6dCivA9fFQsg&hl=en&sa=X&ved=0ahUKEwiJ_sPfxZ7ZAhUB3GMKHdO4CMcQ6AEIbzAO#v=onepage&q=crisis%20management%20lifecycle&f=false.

iv Ibid.

v Ibid.

vi Seth Arenstein, PR News. PR News/Nasdaq Survey: Nearly Half of Organizations Shun Crisis Preparation. Available at http://www.prnewsonline.com/pr-newsnasdaq-survey-nearly-half-organizations-shun-crisis-preparation/
New call-to-action
close (3)

Download your copy