October 2020

Creating a Successful Crisis Management Plan

NSF International discusses how to handle different types of crises that may arise at your facility. If 2020 has shown us anything, it’s that we need to adapt to outside elements that may affect your team processes and procedures. Let’s get started on a crisis management plan.
Dominos representing crisis management

A crisis may come in many forms, such as a natural disaster, a global pandemic, loss of power and water supply, a cyberattack, an operational accident, violent threats or supply chain issues. In a manufacturing environment, a crisis is defined as an unexpected event or situation that can threaten an organization’s business, cause harm to the health and safety of employees and consumers, disrupt operations or damage a company’s brand or reputation. An organization’s reaction to and the consequences of a crisis can vary significantly for each company, depending on factors such as crisis preparedness, maturity, size and scale of operations and financial viability. The COVID-19 pandemic has made most organizations aware of vulnerabilities in anticipating, preparing for, responding to and managing crises. There has been a renewed awareness of the importance of a robust crisis management plan (CMP) and a focus on business continuity.

What to Do and Where to Start

Planning can help an organization contain and mitigate the negative effects of a crisis. The reaction of an organization to a crisis speaks to its culture and reflects its leadership. The way that business leaders prepare for and respond to disruptive events can determine how they recover and become resilient.

In a 2018 Deloitte survey of organizations from around the globe, 47% of those without a crisis management plan reported that their finances were negatively impacted by a recent crisis, compared to 31% of those that did have a plan.1

Similarly, a 2019 PwC global crisis survey of various organizations from different industries across the globe found that organizations that emerged stronger from a crisis had implemented preparatory measures (such as having a CMP in place) in anticipation of a crisis.2

NSF recognizes the importance of crisis management and how having a process affects business continuity. NSF’s GMP registration and certification programs include requirements for organizations to implement a CMP to address situations or emergencies arising from a crisis that may impact their ability to deliver a safe product. The purpose of a CMP is to prepare an organization to respond quickly to a crisis, minimize the harm and restore operations in an effective and efficient manner.

Business continuity and the implementation of a CMP is the responsibility of each employee, department, the crisis management plan team, executive management and the board of directors.

Steps in Developing and Maintaining a CMP

Steps in Developing and Maintaining a CMP

1. Assess Company Threats

A starting point is to identify the industry threats and those unique to your organization, location or region, market, products and processes. After identification, assess threats for likelihood and the expected severity of the impact. Next, identify warning signs for each crisis. These assessments will assist with prioritizing actions and allocating resources.

This NSF risk analysis matrix can help in your assessment.

NSF risk analysis matrix can help in your assessment

Examples of questions to ask during the assessment process:

  • What are the potential threats to your organization that could result in a crisis, thus impacting your ability to deliver a safe product?
  • How vulnerable is your organization to these threats?
  • What are the potential impacts of the crisis?
  • How will the crisis impact the operations at the site?
  • What mechanisms does your organization currently have to track and respond to these potential threats?

2. Develop a Crisis Management Plan

According to the 2019 PwC global study, three characteristics comprise successful crisis management: preparedness, a fact-based approach and effectiveness of stakeholder communications. The study also found that while it is a positive sign that most senior executives want to own and be involved in preparing for and responding to a crisis, an overlap of roles and responsibilities may occur. This can affect effective and efficient coordination, communication and decision-making during a crisis.3

A CMP serves as a guidebook for an organization to navigate the different situations that can arise from a crisis and who is responsible for each item. An effective CMP has the following elements:

  1. Form the crisis management team
    • Define and assign responsibilities for gathering information and for initiating, coordinating and overseeing crises responses
    • Establish sources of credible and factual information
    • Find resources for expert and legal advice
  2. Determine management responsibility
    • Define lines of authority and accountability (hierarchy)
    • Establish escalation process for decisions
  3. Establish strategies for internal communications
    • Define tools, routes and responsibilities for communications
    • Set a process for disseminating and sharing information between crisis management team and employees
    • Draft key messaging and talking points
  4. Establish strategies for external communications
    • Define tools, routes and responsibilities for communications
    • Set a process for communication with authorities, regulatory agencies, stakeholders, media and the public
    • Draft key messaging and talking points
  5. Establish detailed action plans for identified crises
    • Define controls to ensure a response does not compromise product safety
    • Set measures to identify and isolate product affected by the crisis
    • Identify availability of resources and provisions for back-up sources for critical systems
    • Define and track key performance indicators (KPIs)
    • Set measures to evaluate and determine disposition of affected product

3. Test the Crisis Management Plan

To quickly execute a CMP during a crisis, it is important to perform a periodic exercise or simulation to test the plan. Practices or drills of different crisis situations can reveal an organization’s strengths as well as gaps in the level of preparedness. After the challenge, the team should analyze what went well and what did not, and update the CMP accordingly. In testing the crisis management plan, the organization must include the impact to product safety as well as the safety of its employees.

Providing crisis management training and including all personnel in the test scenarios will make them aware of the CMP. This will empower personnel to be proactive when a crisis does arise, including knowing whom to inform.

4. Monitor Threats and Review the CMP

Disruption to an organization’s business can occur when it is least expected, so it is important that an organization looks ahead and assesses potential threats, whether internal or external. As the business environment changes, the CMP may need to be updated as well. The CMP must be reviewed on a periodic basis to ensure it will still be effective in the event of an actual crisis.

Business Continuity

In addition to having a CMP to respond quickly to a crisis, an organization must also have a plan in place to continue operations during an incident and recover from the crisis. Business continuity planning is an ongoing process to ensure that the necessary steps are taken to identify the impact of potential losses and maintain viable recovery strategies, recovery plans and continuity of services.4 A business continuity plan (BCP) is the document that contains these strategies.

Interrelation of CMP with BCP

Interrelation of CMP with BCP

The process of developing a BCP is similar to developing a CMP. The BCP incorporates all hazards (human-caused events, technological issues and natural hazards) and a risk assessment to understand the business impact to people, infrastructure, operations, the environment, economic conditions, regulatory and contractual obligations, and reputation. The analysis identifies what is an unacceptable impact for loss of information, critical processes, function and applications, among other factors.

Senior management then establishes a prevention strategy based on the results of hazard identification and risk assessment, impact analysis, program constraints, operational experience and cost-benefit analysis. Prevention includes training, monitoring of the quality management system, testing the BCP at a determined frequency and performing exercises to ensure the program is working. Last but not least, mitigation strategies must be applied to ensure measures are taken to limit or control the consequences, extent or severity of an incident that cannot be prevented.

In structuring the BCP, consider factors such as the regulatory landscape, contractual obligations, financial resources and infrastructure. The commitment of senior management in applying resources to ensure recovery and continuity of operations will ensure a strong business continuity program.

Summary

Preparing a CMP and BCP takes resources, time and effort, but it is imperative that an organization is vigilant to possible new threats while continuing to monitor existing ones. The COVID-19 pandemic has shown that a crisis can occur unexpectedly and from unanticipated sources. An organization can emerge better, stronger and more resilient from a crisis if it is able to anticipate and assess potential threats and has a plan in place to quickly respond and recover.

1 Deloitte. Stronger, fitter, better: Crisis Management for the resilient enterprise. June 2018. (https://www2.deloitte.com/us/en/insights/topics/risk-management/crisis-management-plan-resilient-enterprise.html)

2 PwC 2019 Global Crisis Survey (https://www.pwc.com/gx/en/services/forensics/global-crisis-survey.html)

3 PwC 2019 Global Crisis Survey

3 NFPA1600 Standard on Disaster/Emergency Management and Business Continuity Programs 2010 Edition