Risk Assessment and Identification
“If you don’t know what can go wrong, you will never know what must go right.”
Creating a Risk Catalogue
Begin by brainstorming all plausible threats:
| Category | Examples | Key Questions |
|---|---|---|
| Natural Disasters | Earthquakes, hurricanes, floods, pandemics | How geographically dispersed are our assets? What early-warning data is available? |
| Technological/Cyber | Ransomware, cloud-provider outage, data breach | Which systems house sensitive data? Where are single points of failure? |
| Operational Failures | Utility breakdown, industrial accident, critical vendor bankruptcy | What are our tightest bottlenecks? Which vendors lack redundancy? |
| Human Factors | Strikes, insider sabotage, leadership vacuum | What succession plans exist? How dependent are we on tribal knowledge? |
| Reputational/Regulatory | Product recalls, social-media backlash, non-compliance fines | Which regulations carry the highest penalties? Who shapes public perception? |
Start broad; you can refine later. Resist the urge to dismiss low-probability events if their impact is catastrophic.
Likelihood-Impact Analysis
Classic risk matrices plot probability against consequence. While subjective, this exercise forces cross-functional dialogue. Tips:
- Quantify where possible. Use historical failure rates, meteorological data, supplier financials, and threat-intelligence feeds.
- Calibrate scoring. A five-point scale (1 = negligible, 5 = extreme) for both likelihood and impact yields a 25-cell matrix.
- Heat-map results. Focus mitigation spending on the red-zone risks—high likelihood and high impact.
Vulnerability Audits and Scenario Building
A vulnerability audit tests how exposed each asset is to chosen threats. Questions to ask:
- How quickly can we detect an incident?
- How long until the event disrupts revenue?
- Which controls reduce either likelihood or impact?
Next, develop risk scenarios—short narratives that link a trigger to cascading effects. Example:
Scenario: A category-4 cyclone makes landfall near our coastal data centre.
Cascading effects: Power loss → generator failure after 12 hours (fuel spoilage) → primary ERP offline → order fulfilment halts → regulatory breach in 24 hours because we can’t file customs documents.
These scenarios anchor your playbooks, training drills, and budget priorities.
Crisis Management Team Formation
“You do not rise to the level of your goals in a crisis; you fall to the level of your systems—and the people running them.”
Building the Team
At minimum, your Crisis Management Team (CMT) should include:
| Role | Primary Responsibility | Typical Titles |
|---|---|---|
| Incident Commander | Overall authority, strategic decisions | COO, General Counsel, or seasoned VP |
| Operations Lead | Tactical response, resource deployment | Director of Operations, Plant Manager |
| IT/Cyber Lead | Systems containment, data restoration | CISO, Head of Infrastructure |
| Safety & Security Lead | Physical safety, evacuation, liaison with first responders | EHS Manager, Chief Security Officer |
| Communications Lead | Messaging to employees, media, regulators | Head of Comms, PR Director |
| Finance/Legal Lead | Cost tracking, insurance claims, legal compliance | CFO, General Counsel |
| HR & Welfare Lead | Staff support, counselling, HR policy | VP HR |
Chain of Command
Document authority levels before an emergency hits. For example:
- Incident Commander may spend up to $1 m on contingency procurement without board approval.
- If the Incident Commander is unreachable after 15 minutes, authority passes to the Operations Lead.
- Communication Lead is the sole source of external statements; site managers may issue only pre-approved “holding” lines.
Designating Alternates
Assume key leaders could be travelling, injured, or themselves the target of the incident (e.g., data-breach implicating the CISO’s email account). Appoint at least two alternates per critical role, train them equally, and rotate drill leadership so no one is complacent.
Crisis Response Procedures
Developing Scenario-Specific Action Plans
Using your risk scenarios, create playbooks. A good playbook covers:
- Detection & Verification – sensors, alert thresholds, who confirms authenticity.
- Notification & Escalation – auto-paging the CMT, stakeholder notification trees.
- Containment & Stabilisation – shutting valves, isolating servers, deploying backup staff.
- Impact Assessment – “sit-rep” template gathering facts (who, what, where, when, potential spread).
- Decision Milestones – checkpoints for go/no-go on plant shutdown, public disclosure, law-enforcement engagement.
- Documentation – live incident log, file retention rules, time-stamped decisions for post-mortem and legal defence.
Activation Protocols
Define precise triggers. For example, a ransomware note on an engineer’s laptop is not full crisis activation; however, detection of lateral movement into production servers is. Common activation criteria:
- “Loss of life or serious injury imminent or occurring.”
- “Asset loss > $250 k or projected downtime > 8 hours.”
- “Media inquiry on unverified but plausible incident report.”
Emergency Procedures
- Evacuation: Floor marshals, mobility-impaired assistance, assembly points, headcounts, re-entry rules.
- Shelter-in-Place: Severe weather, chemical release; stockpile sealed water, N95 masks, phone chargers.
- Lockdown: Active shooter; badge readers disabled (outbound only), silent alarms to police, live CCTV feed for law enforcement.
- Medical Response: AED locations, trauma kits, on-call paramedics, telemedicine backup.
Resource Allocation and External Services
- Mutual-Aid Agreements: Pre-signed MOUs with neighbouring factories, data-centre colocation peers, or industry consortiums.
- Emergency Procurement Cards: Pre-authorised credit limits to bypass sluggish purchase-order workflows.
- Specialised Vendors: Digital forensics firms, crisis-PR agencies, restoration contractors. Keep contact lists offline and cloud-synced.
Communication Plan
“In a vacuum of information, rumours become reality.”
Internal Communication
- All-Staff Notification Channels: SMS alerts, intranet banners, automated voice calls.
- Management Cascades: Department heads receive briefing packs every 60 minutes and hold stand-ups.
- Employee Feedback Loop: Dedicated hotline and Slack channel to surface new intel (e.g., “fire alarm malfunctioning on 3rd floor”).
External Communication
| Stakeholder | Information Needs | Delivery Tools |
|---|---|---|
| Customers | Service uptime, shipment delays, data exposure status | Email bulletins, status page with uptime graphs |
| Investors & Regulators | Financial impact, compliance actions, legal obligations | Webcasts, Form 8-K filings, regulator hotlines |
| Media & Public | Facts, corrective action, timeline | Press releases, live Q&A, social-media updates |
| Suppliers & Partners | Order forecasts, logistics changes, payment assurance | Vendor portal alerts, direct account-manager calls |
Spokesperson Protocols
- Primary Spokesperson: CEO or Communications Lead.
- Technical Spokesperson: Subject-matter experts (CISO, Chief Medical Officer).
- Rules of Engagement: Only scripted, approved statements; no speculation; avoid assigning blame.
Pre-Approved Messages
Craft “evergreen” templates for likely incidents:
- Data Breach Holding Statement “We are aware of a potential cybersecurity incident currently under investigation. As soon as we confirm the facts, we will update you within 60 minutes. In the meantime, our systems remain offline as a precaution.”
- Natural Disaster Disruption “Severe weather in the Gulf region has temporarily halted operations at our Port Arthur plant. All employees are safe. Contingency plans are in motion to reroute production.”
Channels and Redundancy
If corporate email is down, pivot to SMS, WhatsApp, or satellite phones. Maintain call trees printed and sealed in waterproof pouches. Ensure social-media credentials are stored in a password manager with at least two people holding recovery tokens.
Business Continuity and Recovery
“Response is about surviving the storm; recovery is about sailing again.”
Integration with Business Continuity (BCP) and Disaster Recovery (DR)
A CMP without BC/DR is like diagnosing a fire hazard but never installing sprinklers. Synchronise:
- Crisis Management Plan (CMP): Who decides and coordinates.
- Business Continuity Plan (BCP): How to keep critical services running at reduced capacity.
- Disaster Recovery Plan (DRP): How to restore full technical capability.
Identifying Critical Processes and Dependencies
Perform a Business Impact Analysis (BIA):
| Process | RTO (Recovery Time Objective) | RPO (Recovery Point Objective) | Dependencies |
|---|---|---|---|
| eCommerce Website | 2 hours | 15 minutes | Cloud DB cluster, Payment gateway |
| Payroll | 48 hours | 24 hours | HRIS SaaS, Bank FTP |
| Cold-Chain Logistics | 4 hours | 1 hour | Refrigeration units, IoT sensors |
Align backup frequency, redundancy spend, and staffing plans to these tolerances.
Ensuring Supply-Chain Continuity
- Dual Sourcing: At least two approved vendors in different geographies for each critical SKU.
- Buffer Inventory: Safety stock calculated via Monte-Carlo simulations of lead-time variability.
- Supplier Risk Scores: Financial health, political stability, ESG concerns. Update quarterly.
- Logistics Contingency: Alternate ports, rail vs. truck toggling, local 3-PL partnerships.
Alternative Work Arrangements
- Split-Site Operations: Teams rotate between HQ and satellite offices to reduce concentrate risk.
- Remote-Work Playbooks: VPN scaling, zero-trust security, hardware-shipping logistics.
- Hot Sites and Mobile Units: Pre-equipped trailers with power, satellite links, desks, and printers.
Recovery Strategies
Technical Recovery:
- Data Restoration – Verify backup integrity with hash checks before loading.
- System Validation – Controlled test scripts; release gates signed off by IT and business owners.
- Progressive Cut-Over – Canary deployment to 5 % traffic, monitor, then full transfer.
Operational Recovery:
- Phased Manufacturing Ramp-Up – Run one line at reduced speed to test quality control.
- Regulatory Approval – Re-inspection certificates, environmental health clearances.
- Customer Re-Onboarding – Priority queuing for critical accounts, goodwill discounts.
Cultural Recovery:
- After-Action Reviews within 30 days: What worked, what failed, action owners, deadlines.
- Employee Well-Being: Counselling sessions, stress-leave policies, gratitude bonuses.
- Stakeholder Transparency: Publish a debrief report (scrubbed of sensitive detail) to rebuild trust.
