Despite the ongoing threat of coronavirus, 2020 has been a year of protest. From Minnesota to Belarus, growing social, economic and political change has driven protesters to the streets. However, according to research from the Center of Strategic and International Studies (CSIS), this is no new phenomenom but part of a growing trend. Since 2009, CSIS data shows the number of global mass protests has increased annually by an average of 11.5%.
Beyond protests, other unplanned crisis events are becoming more frequent, unpredictable and severe. By September, the Atlantic hurricane season had seen seven named storms make landfall in the U.S. for the first time ever. Meanwhile in California, not only did the 2020 wildfire season start earlier than expected, it has become the largest ever.
For organizations trying to safeguard their employees, facilities or business-critical operations, planning for crisis has never been so crucial. As companies have grown and developed in size and complexity, they have become more susceptible to the financial, safety and reputational implications of these events.
According to a survey of senior executives by Deloitte, 56% believe their organization is inadequately prepared for these crises. The $500 million damage to businesses in the first two weeks of the George Floyd protests in Minneapolis–Saint Paul, Minn. and the $10 billion damage caused by Hurricane Laura, suggest these beliefs are justifiably held.
However, in the same survey, 93% of senior executives believed organizations could prepare for a crisis or unplanned event. This disparity between an organization’s current and possible crisis resilience is down to insufficient consideration of assets, risks, response and after-action procedures within their existing security protocols. With this in mind, here are five crucial steps organizations can take to achieve greater resilience to protests and other unplanned events.
1. Knowing Your Assets
Before an organization can understand how a protest or crisis event might impact their operations or the life safety of their staff, they must consider two crucial factors. First, what their assets are, and second, where those assets are located.
There is an assumption that an organization’s assets are simply constituted of physical objects, such as facilities, aircraft, vessels or vehicles. However, an asset can constitute value beyond a material entity, to include people, information, reputation and supply chains.
Identifying the full scale of an organization’s assets is complex, but essential. If an organization wishes to become truly resilient to protests and unplanned events, they must understand where assets are located globally, how critical they are to business operations and who in the organization has responsibility for the protection or recovery of those assets during a crisis.
Considerable thought must also be given to how frequently this data is updated, recognizing that some assets are not static: employees are constantly moving, supply chains adjusting, offices relocating, and business-critical operations always evolving.
Consequently, the best way to address these factors is by ensuring that data is synchronized and unified in a central hub, as opposed to being siloed in different departments or stored on disparate systems. This allows security teams and risk managers to develop a common operating picture from which they can begin to assess and monitor what risks might impact which assets.
2. Identifying and Monitoring Risks
Once an organization has structured and unified its asset data, it can begin to identify and monitor potential threats. Where possible, this aspect of risk management should be geared toward being proactive, as opposed to reactive.
The nature of protests means they require a degree of planning. As such, effective security managers should monitor social media, community groups and news outlets to find out whether protests are planned in close proximity to any of their assets. This will give them time to alert relevant employees and stakeholders, close the facility, improve its physical security, or take other actions to ensure the protection of their staff, customers or business-critical operations.
Additionally for violent incidents, corporate security, business continuity and supply chain risk managers should aim to use social media aggregators. The majority of these services use artificial intelligence to detect emerging high-impact events from public data. It typically means their alerts on shootings, riots and terrorist incidents proceed news reports by minutes or even hours. This extra time proves invaluable for security teams to take action.
When it comes to natural disasters, Internet of Things (IoT) devices and sensors are transforming how events are being detected and reported. Not only do IoT devices provide real-time alerts for earthquakes, wind speeds, river flooding, storm surges, air quality, volcanic eruptions and tsunamis, but data analytics tied to the live data feed can instantly contextualize the magnitude of an event. This can help organizations assess the potential scale and destruction, often minutes, hours or even days ahead of the impact.
Additionally, some of these unplanned events come with a further, albeit small, degree of predictability. Hurricanes, wildfires, tornados and some other unplanned natural disasters are more likely in certain geographies and time frames, allowing organizations to proactively bolster their monitoring efforts in specific areas and during known seasonal windows.
However, just as with asset data, this risk information is usually consumed via disparate online portals and alerted via different communication channels. Organizations are then left to piece together the varying data, the full impact of the risk event, and identify what assets may be impacted. This process could take several hours, limiting the effectiveness of a mitigating response.
Where possible, crisis management teams should have a unified global view of both risk events and their organization’s assets. Only then can organizations determine the fastest and most effective response to mitigate operational impact and safeguard their employee and customer wellbeing.
3. Notifying and Communicating
When a protest or another unplanned event occurs, it is crucial that an organization is able to rapidly communicate with its assets and associated stakeholders. Organizations need to ensure that these relevant actors are aware of the event, its potential impact, as well as the best means to minimize any business disruption or safety concerns. Therefore, it is vital that organizations have robust communication procedures and technology to manage effective mass notifications.
Even though advances in technology have seen the adoption of more notification channels, such as instant messaging, desktop or in-app alerts and social media, data protection and privacy concerns mean that telephone, email and SMS text messages remain the most common and effective means of communication.
Whichever communication systems an organization uses to notify its people of an unplanned crisis event, having prepared communication templates is essential for ensuring rapid dissemination of information to relevant areas of the business that could be impacted. Furthermore, with templated communications an organization can leverage mass communication technologies to seamless automated messages, allowing those in close proximity to the event to take precautionary action, while its scale and operational impact is analyzed.
Within a unified crisis management framework, communications technology would be integrated alongside asset data and risk information. In such a case, automation is optimized by a centralized platform. It identifies whether a protest or other unplanned event is occurring in close proximity to assets, and subsequently initiates auto-messaging to staff and key stakeholders associated with the relevant assets or business operations.
4. Developing Crisis Response Plans
Every event is different in its scale, impact and threat to operations. Even though hurricanes are expected every year from the Atlantic basin, the varying intensity and path of the storms make them impossible to completely prepare for. Similarly, one can expect protests on Pennsylvania Avenue in Washington, D.C. throughout the year, but knowing when they will occur, the size of the crowds, and knowing whether they are peaceful or violent is impossible.
Despite this, whether a natural disaster or man-made risk event, there are a number of steps an organization can take in advance to assess the risk posed to operations or its staff, as well as how to respond effectively.
By defining standard operating procedures (SOPs) for risk events, organizations can ensure a measured and timely response, even for the most unexpected crises. Although these playbooks, as they are sometimes referred to, will not address every risk scenario, they often guide response teams through the most effective way of mitigating operational impact, as well as covering off any compliance issues. Furthermore, when applied to a specific risk event, they inevitably identify indirect operational concerns that might not have been immediately obvious.
Additionally, it is crucial to ensure that these SOPs for different types of unplanned events are centralized and readily available. It will allow everyone from executives to the on-the-ground crisis response teams to be aware of the procedure and the expected response to the crisis.
5. Auditing and Learning
Finally, an organization’s resilience to unplanned events can only improve through after-action reviews. Resilience is built when organizations understand where their crisis response process can be made faster and more effective.
After each risk event, no matter the scale, type or frequency, organizations should consider: how they can improve their alerting mechanisms; how they identify assets in close proximity to the threat; how they communicate effectively to those at risk; and how they collaborate with key stakeholders across the organization to ensure a comprehensive response.
This can only be achieved if there is clear auditing or documentation of decisions around the management of a protest or unplanned event. Reviewing decisions, the time frame around information and events, and when plans were enacted can highlight where there was a lack of clarity around specific event reports and decisions. This process can be conducted far more effectively when supported by technology. It allows for the creation of an automated audit log of when information was received and decisions were made.
All in all, after-action reviews are about learning and creating best practices which can be inserted into SOP templates for future risk events. It is not an exercise for blaming decision makers or the efforts of those carrying out plans, but is instead a means for improving future crisis resilience.
Minimizing the Impact
For businesses to survive this complex operating environment, companies must move away from old crisis methodologies and adopt cohesive policies that leverage new technologies for data management and reporting. Organizations must be able to proactively identify risks to business disruption or employee life safety, rapidly adapting their responses to minimize the impact of ongoing situations. Only then can an organization be resilient enough to fulfill its duty of care requirements toward employees and customers, as well as be able to maintain business continuity during even the largest of unplanned events.