· 6 min read
A crisis may come in many forms, such as a natural disaster, a global pandemic, loss of power and water supply, a cyberattack, an operational accident, violent threats or supply chain issues. In a manufacturing environment, a crisis is defined as an unexpected event or situation that can threaten an organization’s business, cause harm to the health and safety of employees and consumers, disrupt operations or damage a company’s brand or reputation. An organization’s reaction to and the consequences of a crisis can vary significantly for each company, depending on factors such as crisis preparedness, maturity, size and scale of operations and financial viability. The COVID-19 pandemic has made most organizations aware of vulnerabilities in anticipating, preparing for, responding to and managing crises. There has been a renewed awareness of the importance of a robust crisis management plan (CMP) and a focus on business continuity.
Planning can help an organization contain and mitigate the negative effects of a crisis. The reaction of an organization to a crisis speaks to its culture and reflects its leadership. The way that business leaders prepare for and respond to disruptive events can determine how they recover and become resilient.
In a 2018 Deloitte survey of organizations from around the globe, 47% of those without a crisis management plan reported that their finances were negatively impacted by a recent crisis, compared to 31% of those that did have a plan.1
Similarly, a 2019 PwC global crisis survey of various organizations from different industries across the globe found that organizations that emerged stronger from a crisis had implemented preparatory measures (such as having a CMP in place) in anticipation of a crisis.2
NSF recognizes the importance of crisis management and how having a process affects business continuity. NSF’s GMP registration and certification programs include requirements for organizations to implement a CMP to address situations or emergencies arising from a crisis that may impact their ability to deliver a safe product. The purpose of a CMP is to prepare an organization to respond quickly to a crisis, minimize the harm and restore operations in an effective and efficient manner.
Business continuity and the implementation of a CMP is the responsibility of each employee, department, the crisis management plan team, executive management and the board of directors.
A starting point is to identify the industry threats and those unique to your organization, location or region, market, products and processes. After identification, assess threats for likelihood and the expected severity of the impact. Next, identify warning signs for each crisis. These assessments will assist with prioritizing actions and allocating resources.
This NSF risk analysis matrix can help in your assessment.
Examples of questions to ask during the assessment process:
According to the 2019 PwC global study, three characteristics comprise successful crisis management: preparedness, a fact-based approach and effectiveness of stakeholder communications. The study also found that while it is a positive sign that most senior executives want to own and be involved in preparing for and responding to a crisis, an overlap of roles and responsibilities may occur. This can affect effective and efficient coordination, communication and decision-making during a crisis.3
A CMP serves as a guidebook for an organization to navigate the different situations that can arise from a crisis and who is responsible for each item. An effective CMP has the following elements:
To quickly execute a CMP during a crisis, it is important to perform a periodic exercise or simulation to test the plan. Practices or drills of different crisis situations can reveal an organization’s strengths as well as gaps in the level of preparedness. After the challenge, the team should analyze what went well and what did not, and update the CMP accordingly. In testing the crisis management plan, the organization must include the impact to product safety as well as the safety of its employees.
Providing crisis management training and including all personnel in the test scenarios will make them aware of the CMP. This will empower personnel to be proactive when a crisis does arise, including knowing whom to inform.
Disruption to an organization’s business can occur when it is least expected, so it is important that an organization looks ahead and assesses potential threats, whether internal or external. As the business environment changes, the CMP may need to be updated as well. The CMP must be reviewed on a periodic basis to ensure it will still be effective in the event of an actual crisis.
In addition to having a CMP to respond quickly to a crisis, an organization must also have a plan in place to continue operations during an incident and recover from the crisis. Business continuity planning is an ongoing process to ensure that the necessary steps are taken to identify the impact of potential losses and maintain viable recovery strategies, recovery plans and continuity of services.4 A business continuity plan (BCP) is the document that contains these strategies.
Interrelation of CMP with BCP
The process of developing a BCP is similar to developing a CMP. The BCP incorporates all hazards (human-caused events, technological issues and natural hazards) and a risk assessment to understand the business impact to people, infrastructure, operations, the environment, economic conditions, regulatory and contractual obligations, and reputation. The analysis identifies what is an unacceptable impact for loss of information, critical processes, function and applications, among other factors.
Senior management then establishes a prevention strategy based on the results of hazard identification and risk assessment, impact analysis, program constraints, operational experience and cost-benefit analysis. Prevention includes training, monitoring of the quality management system, testing the BCP at a determined frequency and performing exercises to ensure the program is working. Last but not least, mitigation strategies must be applied to ensure measures are taken to limit or control the consequences, extent or severity of an incident that cannot be prevented.
In structuring the BCP, consider factors such as the regulatory landscape, contractual obligations, financial resources and infrastructure. The commitment of senior management in applying resources to ensure recovery and continuity of operations will ensure a strong business continuity program.
Preparing a CMP and BCP takes resources, time and effort, but it is imperative that an organization is vigilant to possible new threats while continuing to monitor existing ones. The COVID-19 pandemic has shown that a crisis can occur unexpectedly and from unanticipated sources. An organization can emerge better, stronger and more resilient from a crisis if it is able to anticipate and assess potential threats and has a plan in place to quickly respond and recover.
1 Deloitte. Stronger, fitter, better: Crisis Management for the resilient enterprise. June 2018. (https://www2.deloitte.com/us/en/insights/topics/risk-management/crisis-management-plan-resilient-enterprise.html)
2 PwC 2019 Global Crisis Survey (https://www.pwc.com/gx/en/services/forensics/global-crisis-survey.html)
3 PwC 2019 Global Crisis Survey
3 NFPA1600 Standard on Disaster/Emergency Management and Business Continuity Programs 2010 Edition