What Is Crisis Management?

Disasters and other events that stop normal business processes require that management take immediate action to ensure the health and safety of personnel, and the viability of the enterprise.

Key Issue
How will enterprises arm themselves to address increasing information security risk?

Key Elements of Business Continuity Planning
Gartner defines business continuity planning (BCP; see Figure 1) as a process with five essential components:

• Disaster recovery
• Business recovery
• Business resumption
• Contingency planning
• Crisis management (required for the entire event)

Crisis management is the enterprise's first response to an event that could change the way business operations are normally conducted. A well-managed approach to such an event will help significantly to ensure that employees, customers, partners, investors and the general public continue to have confidence in the financial viability of the enterprise.

Gartner estimates that 85 percent of Global 2000 enterprises have established a disaster recovery plan that addresses the recovery of their core technology infrastructure, but only 15 percent have a full-fledged business continuity plan covering all five critical components. This is dangerous; enterprises must shift from a disaster recovery focus to business continuity because most, if not all, stages of the business life cycle now totally depend on IT services. BCP is vital to the maintenance of public, customer and investor confidence.

E-commerce initiatives do not change the five components of BCP, nor do external events impacting the normal business cycle. These factors simply place more importance on the enterprise's contingency and crisis management plans because of the public nature of outages and the increasing reliance on external services providers for processing. The potential range of failures must be determined from an organizational perspective, and all interdependencies must be planned for appropriately. Each component of the business process must be addressed in the recovery plan, and enterprises must perform an end-to-end analysis of the information flow through internal and external processing environments to successfully provide recovery options for all potential scenarios.

An Effective Crisis Management Team
The crisis management team is responsible for managing the event from an enterprise perspective and covers the following major activities:

• Supporting personnel and their loved ones during the crisis
• Determining the event's impact on normal business operations and, if necessary, making a disaster declaration
• Keeping the public informed about the event and the actions being taken to ensure the recovery of personnel and the enterprise
• Communicating with major customers, suppliers, partners, regulatory agencies, industry organizations, the media and other interested parties

• Local law enforcement and other officials (e.g., fire and police)
• Utilities (e.g., gas, electricity and telephone)
• Facilities management

An effective crisis management team must have participation from:

• Senior management from each business unit
• Human resources
• Facilities/building management
• Risk management (operational, financial and IT)
• Legal/compliance
• Communications/public relations
• Chief information officer/chief technology officer
• Business continuity manager

Personnel Contact Information and Call Tree: Because not all disasters occur during business hours — and because not all personnel will necessarily proceed immediately to the evacuation location — personnel contact information is essential to management's efforts to reach and account for all personnel. Management must document and regularly update a broad range of contact information — including home, office, vacation home and mobile telephone numbers, work and personal e-mail addresses, and pager numbers — to ensure that many contact channels are available.

The establishment of a call tree — i.e., a list that defines who is responsible for calling whom in the event of a disaster — makes contacting personnel significantly easier. The call tree must be updated frequently and following any change in organization, location or employee contact information, and tested, at minimum, during testing of the business continuity plan. Tests should be unplanned to ensure realistic results. Enterprises may use automated services for call tree testing and for implementation of the call tree during an actual disaster.

Emergency Information Card: An emergency information card will remind all employees, consultants and contract workers of critical information during and after the event. Typical components of an emergency information card include:

• Immediate evacuation location: an address near the facility where personnel will assemble immediately after the event so that a head count can be taken and instructions given regarding the management of the event
• Assembly location: an address where personnel not involved in the recovery operations, but not immediately sent home, can be sheltered, supported and given frequent updates on the event (depending on the scope of the event, reentry to the building may be possible)
• Recovery location: the address of an alternate processing site where business will be resumed after a disaster is declared
• Emergency hot line: typically, a toll-free telephone number that personnel can use to receive and disseminate information
• Business continuity coordinator — the name, telephone number and e-mail address of the person responsible for each department's recovery response

References
The following references may be of value to enterprises preparing crisis management plans:

• "Emergency Planning Guide for Continuity Officials" (New York publication, 1999)
• U.S. Federal Emergency Management Agency (FEMA) Web site — www.fema.gov (includes a list of courses and workshops related to emergency management)
• Federal Response Plan — April 1999 (FEMA document 9230.1-PL)
• Individual state emergency management agencies (often divisions of the Department of Public Safety)

Gartner's Information Security Strategies Research Note TU-14-5246, 19 September 2001.

Entire contents © 2001 by Gartner, Inc. All rights reserved. Reproduction of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The reader assumes sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice.