Corporate Crisis Management –Sustaining the Business

October 25, 2006

What is a Crisis


A basic principle of corporate crisis management is the requirement that the company, or administrative body (the “business”) be able to sustain both operational scope and performance in the event of a crisis occurring. The level at which these are sustained is largely dependent on the business resources and pre-planning.  The requirement for sustained business operation is of greatest importance in the event of a crisis affecting a critical aspect of the business’ operational structure, for example IT systems.  A crisis can be described as an unplanned incident or event, whether one or more, which either alone or when taken together have the potential to or actually do significantly adversely affect the business in terms of operational scope and performance.


Crisis Management Overview


Crisis management is essentially about controlling and managing a business risk.  Examples of business crisis include:

·                     fraud – whether internal or external;

·                     malicious attack– whether internal or external;

·                     intervening and unplanned event – often defined contractually as a “force majeure” event.


If the business is going to continue performing at a profitable or administratively adequate level when a crisis occurs, it is necessary to have adequate contingency or disaster recovery plans in place and to have relevant members of staff briefed on their responsibilities.  As with all business planning, the level of resource and financial allocation affects the outcome.


Businesses need to focus on demonstrating a capacity to manage and weather a crisis effectively, firstly, by employing effective measures to prevent crisis incidents arising and, secondly, by designing adequate contingency plans to invoke in the event of a crisis occurring.  The business approach to crisis management and recovery must be based on a model that is flexible, feasible, and practical.  Corporate IT disaster recovery planning is a well established part of IT operations.  This article discusses broader corporate crisis avoidance and management, which would include an IT crisis.


Crisis Management Planning


The fundamentals for effective crisis management planning include the identification of a crisis management team, an assessment of the most likely crisis scenarios, the development of a crisis management plan document, periodic crisis training exercises, an adherence to crisis communications guidelines and the continual review and refinement of the plan.  The key objectives are to avert a crisis where possible, detect a crisis promptly and react to the crisis – prevent, detect and react.


Typical steps include:

·                     create a crisis management team and assess potential crises scenarios;

·                     development of one or more crisis management plans, reflecting the business scope;

·                     establish guidelines for gathering information and internal investigations;

·                     carry out periodic crisis training evaluation; and

·                     develop guidelines for crisis communications – both internal and external.

When developing the crisis management plan, relevant factors to be considered include:

·                     the scope of the risk – check the business insurance position to ensure that current insurance cover is adequate in terms of scope and value;

·                     the requirement for proactive risk management

·                     containing the crisis – including evidence gathering

·                     putting in place procedures to prevent, detect and react to a crisis – a practical example being a crisis management plan

·                     preparing a media communications plan

·                     ensuring solid policy foundations are in place – both for the crisis management (detect and react), and for averting or reducing the risk of a reoccurrence (prevent)

·                     investigating corporate authority to seize and search documents, files, etc. – be aware of legal rights and responsibilities; and

·                     ensuring relevant employees are informed of the plan.


What To Do in the Event of a Crisis


·                     Don’t panic.

·                     Gather together the relevant members of the crisis management team – HR, IT and finance, together with retaining external assistance, as required – including PR advisors, security consultants and legal advisors.

·                     Put the crisis management plan into operation – consider what steps the business wishes to take, ie does it want to contain and eradicate the incident or investigate and prosecute the perpetrators?

·                     Start the documenting process – gather the available evidence and attempt to determine responsibility for the crisis – Who?  What?  When?  Where?  How?

·                     Identify internal responsibility for managing the crisis management team and final approval on tasks.

·                     Agree what the team should attempt to accomplish, including determining when the crisis management response can be concluded and the team stood down.

·                     Limit incident information on a need to know basis – including deciding on notification to the Gardai/police (be aware of legal obligations in relation to criminal offences).

·                     Gather evidence “legally” – a key issue in terms of criminal prosecution and civil litigation and a frequent point of business failure.


Remedies Available


Assuming a wrongdoer can be identified, issues of criminal prosecution and civil remedies arise.  Financial recovery is mainly a civil law matter. Issues which arise in relation to civil remedies include:

·                     lower burden of proof than criminal prosecution

·                     internal procedures (interviews, search, seizure, etc) can adversely affect both any criminal prosecution and civil litigation

·                     the availability of adequate documentation relating to any incident

·                     proper control of ‘evidence’ is required

·                     it is time-consuming – civil litigation can eat up large amounts of staff time and, in particular, senior management time so management should delegate to specialists where possible

·                     litigation can be costly and protracted

·                     a Gardai/police investigation may facilitate recovery- it is clearly not the aim of such an investigation but may be a consequence of their investigative efforts.




A business crisis management plan should have senior-level approval, should be communicated to relevant members of staff and should be included within corporate training (although there may be an element of secrecy in relation to the reaction element of the plan).  In terms of administering the plan, it is recommended that responsibilities be assigned to key personnel, especially in relation to reaction matters, which include the preservation of evidence, maintenance of confidentiality, reporting within the plan structure and (where appropriate) reporting to the Gardai/police.  The crisis management plan should be regularly reviewed and updated.


Depending on the nature of the business, a recovery policy should be included within the crisis management plan.  Whether or not recovery is possible will depend on circumstances, including the location of the assets.  In summary, the maintenance of a comprehensive and up-to-date crisis management plan provides the business with a fighting chance of averting a crisis, promptly discovering one which occurs and then dealing with the crisis in as organised and effective a manner as is possible in the circumstances – in summary, prevent, detect, react.


© Arthur Cox, 2006


Pearse Ryan is a Partner at Arthur Cox in Dublin specialising in technology issues and disputes: