Preparing for the Next Crisis
By TorchStone VP, Scott Stewart
The COVID-19 crisis is unlike anything most of us have experienced in our professional lives. It is presenting an array of new security challenges as workplaces are shut down, tens of millions of workers have been laid off, and those still on the payroll are now mostly working from home. Companies are experiencing terrible financial losses due to the economic slowdown and in many cases, these losses are resulting in security budgets being cut.
However, this is not the first crisis most of us have experienced in our professional lives. The last two decades have brought us the 9/11 attacks; the Asian Tsunami; SARS; MERS; the 2007-2008 financial crisis; the dot.com bust; decades-long wars in Afghanistan and Iraq; significant terrorist attacks in London, Paris, Madrid, Mumbai, Brussels, and other global cities; the Fukushima Daiichi nuclear disaster; the Arab Spring; threats of war in the Straits of Hormuz and on the Korean Peninsula; the rise of the Islamic State; Hurricane Katrina; the invasion of Crimea; and the BREXIT, among many others.
Some of these events may have impacted your company more than others, but this list of significant events demonstrates that crises are to be expected and that based on recent history we will undoubtedly face several more crises—and the unique challenges each crisis will bring with it—over the coming decade. With that in mind let’s delve a bit deeper into managing security during such challenges, and how to best prepare for the next crisis.
Planning is Worth the Effort
First, if your company did not have contingency plans in place before the COVID-19 crisis, I would hope that this event has demonstrated the importance of having such plans in place. I know from experience that it can sometimes be difficult to persuade company leadership of the importance of contingency planning, but the sheer magnitude of this present crisis and the disruptions it has caused are potent reminders of the importance of contingency planning, testing plans and conducting tabletop crisis exercises. Those companies that had solid, tested contingency plans in place have been able to weather this storm in better shape than companies that had no plan, or a poorly conceived or untested plan.
Even companies that did not have a specific contingency plan for a pandemic, have benefitted from having solid plans in place for other events that would keep them from working in the office, such as natural disasters. They have been able to adapt those plans to the current circumstances, and this has proved far better than having to craft a plan from scratch on the fly – a process some have described as “building an airplane while in flight.”
But regardless of whether you are working from a pandemic plan, have adapted another plan to deal with the pandemic, or have been forced to make things up on the fly, now is the time to begin to prepare for the next crisis. One of the most valuable things one can do during a crisis is to maintain a detailed log of the problems encountered, as well a thorough description of how those problems were addressed. It is important not to just note actions that succeeded in solving the problems, it is just as critical to list the attempted solutions that failed. Additionally, any faulty assumptions that were contained in the original plan should be documented, as well as any other things that should be adjusted for future plans. Plans are guidelines, and they will invariably need to be changed and improved as they are being executed, and those adjustments should be documented to ensure the lessons learned during this crisis will help better prepare you to face the next one.
Once this crisis is over, I would also strongly suggest conducting a formal after-action review of the crisis response that includes the participation of all the company’s key decision-makers. It is critical that these decision-makers not only get a chance to review the log of problems, solutions, and lessons-learned but also to provide their perspective on the contingency plan and how it held up as the crisis unfolded. The findings of this after-action review should also be carefully documented so that it can be used to update all your contingency plans based on the lessons learned. These findings can also help shape future tabletop exercises and crisis simulations designed to help strengthen noted deficiencies.
With Great Challenges Come Great Opportunities
When things are going smoothly and security programs are effectively mitigating problems, it can sometimes be difficult to get company leadership to understand the real value of their corporate security programs. Crisis events are the time when security managers and business continuity professionals get to demonstrate their value and display the critical nature of their work.
The first way security personnel can demonstrate their value is by their demeanor and presence. In the middle of the storm, they must assure the company’s leadership that they have the security aspects of the crisis under control. They should be models of calm confidence and they should be reassuring to the rest of the company leadership. The message they should send is: “Yes, we are facing a huge challenge, but we are prepared for it and we will get through it.”
As noted above, security managers can also demonstrate great value if they have a well-prepared crisis plan that is ready to be implemented when directed. But even if they do not have a plan, a crisis is a very good opportunity to demonstrate that they are creative and flexible solution providers. Yes, I said flexible. I know that for many security managers, especially those who are former military and/or law enforcement like me, flexibility can sometimes be a struggle — as can creativity. However, security managers must force themselves to be adaptive and think outside of the box when they are faced with a rapidly changing situation and a myriad of problems during a crisis. They must also adopt the mindset that they are solution providers, even if it means they must move outside of our normal area of responsibility and take care of some non-traditional security duties. Nobody wants to hear “that’s not my job” during a crisis.
The ability to remain calm, act decisively, adapt and provide solutions during a crisis will be remembered by company leadership when the crisis has passed and will serve to provide security managers valuable credibility in the eyes of leadership as they begin to plan and prepare for the next crisis.
Enabling Business Amidst the Challenges
The best security programs don’t constrain business, they enable it. Too many times security managers tend to be “Dr. No,” and list reasons why something can’t be done due to risks and challenges – and that has cost many of them their jobs. It is far better to adopt a “yes, but” approach to security; one that seeks to design creative security solutions to enable business to continue in the midst of risks and challenges. Adopting this approach can allow security managers to be seen as agents of business resilience.
And challenges will come. Every business runs a myriad of risks daily and a crisis event such as a pandemic is just one of those risks. Any attempt to avoid all risk will quickly lead to business paralysis. This means that the issue is not avoiding risk, rather, it is identifying and understanding the risks so that appropriate security measures can be taken to mitigate those that cannot be avoided, and plans prepared to respond to worse case scenarios.
A proper understanding of the risks can also provide an important guide for business decisions on whether to expand, suspend or even end operations in normal times, but is doubly applicable to operating in times of crisis. And this brings us back to contingency planning. Understanding risks is critical to the crafting of effective contingency plans, as well as to establishing tripwires that will serve to trigger the activation of the plans, or individual stages of the plan.
By helping companies identify and understand the risks they face, implementing prudent security measures to mitigate the unavoidable risks, and providing training to enable personnel to continue to operate in the face of challenges with resilience, security managers can serve as important enablers of business, instead of obstacles. This will put them in a strong position as they prepare their programs, plans, and personnel to face the next crisis.