When does the Crisis Management team let go and the Business Continuity team take over?
I think these two teams need to work together from the outset, but there is a point where the “lead” is handed over from Crisis Management to Business Continuity.
How do these two teams work together in your organization? Or is there just one person/ team who leads both?
Feeback from BCP Builder Community on LinkedIn:
Proactive vs Reactive
- Business Continuity Management is proactive while Crisis Management is reactive. Business Continuity prepares the organization to continue during an incident whereas Crisis Management is when all efforts fail and we try to put things in place.
- Business Continuity is an enabling discipline. Crisis Management is a controlling discipline. The former enables an organization to continue a level of effective operation, whilst at the same time the latter takes the impact event under control. Teach that difference and your organization will apply both people and budgets effectively. It completely sets the separation between Crisis Management and Business Continuity. And what’s more the clients like and understand it.
Good Practice Guidelines
- The Good Practice Guidelines talk of a response structure which is team based. Possibly, if the organisation is complex and so structured, split into Strategic, Tactical and Operational response teams. Some simply have Strategic (Crisis/Media) and operational. Not all incidents are crises, not all incidents are in need of business continuity. The key, is that there is a structure with known and understood trigger points that move command and control up or down the pyramid of command. A response structure that allows, escalation or de-escalation triggers to move the response appropriately, based on a situation report that reviews the triggers. The structure should match the organizational structure. The process of response structure creation, depends on the size, complexity and maturity of the organization. Crisis levels are reached when planning assumptions are breached and a strategic response is required. No standard response structure exists, only your chosen response structure.
- It is important to practice this hand over in a exercise to make sure both Crisis Management and Business Continuity teams practice working together.
COSO – Operations Led Crisis Management
- Crises must be managed by Executives (and their teams). The Business Continuity business unit is a second line of defense (COSO model), we don’t manage incident or crisis. We are just here to make sure they test the plans, they execute them correctly and for internal consulting. Operational teams (IT, operations, business, finances, etc.) are those who execute the plans, they are not a business continuity team. If we select people from the operational teams to be member of a business continuity team, it will limit the scope and the capability of recovery of the organization. If we need to execute a plan and if it’s not a crisis, same answer: Operational teams should execute the plan, not a Business Continuity Team.
- There has to be two separate teams for Business Continuity and Crisis Management. While the former guides in the various strategies to be followed, the actual management of the Crisis is done by the ‘Support’ functions such as Facilities, IT, HR etc. However, there has to be a single framework that includes both these and probably one single team that owns both.
The 5 Components of COSO: C.R.I.M.E.
The five components of COSO – control environment, risk assessment, information and communication, monitoring activities, and existing control activities – are often referred to by the acronym C.R.I.M.E. To get the most out of your SOC 1 compliance, you need to understand what each of these components includes.
-
- Control Environment: How has management put into place policies and procedures that guide the organization? What kind of tone has management set in the organization so that everyone knows that they are supposed to make sure that your controls are operating effectively and are achieving the results that they expect?
- Risk Assessment: How does your organization assess risk in order to identify the things that threaten the achievement of their objectives?
- Information and Communication: How does management communicate to their internal and external users what is expected of them? How do you make sure that you receive acknowledgement from those people that they understand what you’re asking them to do?
- Monitoring Activities: How does management oversee the functioning of the entire organization? How do you identify when things aren’t working correctly and correct those deficiencies as quickly as you possibly can?
- Existing Control Activities: What are the controls that you currently have in place? Were they in place and operating effectively over a period of time?
Visual Model
- If the question is just Crisis Management and Business Continuity, draw a long rectangle. On the left upper is Crisis Management with some large part. Lower left is Business Continuity. Right side the opposite. Now draw a lie between the 2 sides. It should be that easy. It’s not. There will be bumps and loops. Notice I didn’t mention length of time. The Emergency Operations Center is part of Crisis Management but is bigger and different. In some cases the Emergency Operations Center may ‘stand up’ as an observer until a decision is made with the Businesses, Crisis Management and Business Continuity teams.
- Business Continuity often overlaps crisis response. Each process will have a different recovery timeline. Some processes require little intervention to recover.
Management
- It has a lot to do with mindset and how business continuity and crisis management is viewed by Management. That helps set the tone for processes.
- In some organizations it can be one person taking on a coordination role. Public Relations would take the lead in crisis communications with input from Risk Management while Risk Management would lead the business continuity effort. Mock drills and table top exercises are part and parcel of the program to ensure cooperation and collaboration between parties, including external entities.
Emergency Management
- The four phases of emergency management could apply. Preparedness, response, recover and mitigation are discussed as sequential activities, but they should all take place concurrently even though there may be more emphasis on one phase at any given time.
If you want to increase your Organizational Resilience, start with preparing a Business Continuity Plan and check out BCP Builder’s Business Continuity Planning Templates.