Q. My company has gone through a couple of damaging incidents recently and we were not well prepared. What are some tips on making sure we’re prepared better next time?
A. As a business continuity professional for several large companies, I have witnessed countless incidents where we could have been better prepared. Before each crisis, the companies that I was with had a decent plan in place. After the incident recovery phase, we had a better plan. Regardless of the maturity of your security department, there are always key learning opportunities that come from managing an incident (for example, supply chain disruption, natural disasters, loss of proprietary information, workplace violence, product contamination).
These are some important questions to ask ahead of time. Is your organization ready to handle a specific crisis? Do you have different teams set up to manage all facets of response and recovery? I’ve always been a fan of the crawl, walk, run philosophy. Start small. Talk to colleagues and benchmark your program against theirs – What does their internal training look like? What are they outsourcing? Evaluate your top risks. Garner buy-in from your “C” suite by meeting with them and explaining the soft and hard benefits of having a robust, wholistic business continuity program. Educate stakeholders. Get your phone lists together. Establish a primary and secondary crisis meeting room. Run a table top exercise.
Don’t assume that someone on the crisis management team will handle the event well due to their title or experience. The leadership required to manage each crisis is unique and truly situational. Look for opportunities to partner with other companies that share best practices across industries and to elevate your current program and mitigate future risks. Collaborate with colleagues on proven solutions that they’ve utilized to prevent, respond to, and recover from an incident. Some of these may include notification systems, public/private partnerships, and/or physical security measures.