Table Of ContentAU2244_C000.fm Page i Thursday, November 16, 2006 2:22 PM
C
RISIS
M
ANAGEMENT
P
LANNING AND
E
XECUTION
AU2244_C000.fm Page ii Thursday, November 16, 2006 2:22 PM
OTHER INFORMATION SECURITY BOOKS FROM AUERBACH
Assessing and Managing Security Risk in IT Systems: Information Security Management Handbook,
A Structured Methodology Sixth Edition
John McCumber Harold F Tipton; Micki Krause
ISBN: 0-8493-2232-4 ISBN: 0-8493-7495-2
Audit and Trace Log Management: Consolidation and Information Security Policies and Procedures:
Analysis A Practitioner's Reference, Second Edition
Phillip Q Maier Thomas R Peltier
ISBN: 0-8493-2725-3 ISBN: 0-8493-1958-7
Building and Implementing Security Certification and Information Security Risk Analysis, Second Edition
Accreditation Program Thomas R Peltier
Patrick D Howard ISBN: 0-8493-3346-6
ISBN: 0-8493-2062-3
Information Technology Control and Audit,
The CISO Handbook: A Practical Guide to Securing Second Edition
Your Company Frederick Gallegos; Daniel P Manson;
Michael Gentile; Ronald D Collette; Thomas D August Sandra Senft; Carol Gonzales
ISBN: 0-8493-1952-8 ISBN: 0-8493-2032-1
The Complete Guide for CPP Examination Preparation Intelligence Support Systems: Technologies
James P Muuss; David Rabern for Lawful Intercepts
ISBN: 0-8493-2896-9 Kornel Terplan; Paul Hoffmann
ISBN: 0-8493-2855-1
Curing the Patch Management Headache
Felicia M Nicastro Managing an Information Security and Privacy
ISBN: 0-8493-2854-3 Awareness and Training Program
Rebecca Herold
Cyber Crime Investigator's Field Guide, ISBN: 0-8493-2963-9
Second Edition
Bruce Middleton Network Security Technologies, Second Edition
ISBN: 0-8493-2768-7 Kwok T Fung
ISBN: 0-8493-3027-0
Database and Applications Security: Integrating
Information Security and Data Management The Practical Guide to HIPAA Privacy and
Bhavani Thuraisingham Security Compliance
ISBN: 0-8493-2224-3 Kevin Beaver; Rebecca Herold
ISBN: 0-8493-1953-6
The Ethical Hack: A Framework for Business Value
Penetration Testing A Practical Guide to Security Assessments
James S Tiller Sudhanshu Kairab
ISBN: 0-8493-1609-X ISBN: 0-8493-1706-1
Guide to Optimal Operational Risk and Basel II Practical Hacking Techniques and Countermeasures
Ioannis S Akkizidis; Vivianne Bouchereau Mark D. Spivey
ISBN: 0-8493-3813-1 ISBN: 0-8493-7057-4
The Hacker's Handbook: The Strategy Behind The Security Risk Assessment Handbook:
Breaking into and Defending Networks A Complete Guide for Performing Security
Susan Young; Dave Aitel Risk Assessments
ISBN: 0-8493-0888-7 Douglas J Landoll
ISBN: 0-8493-2998-1
The HIPAA Program Reference Handbook
Ross Leo Strategic Information Security
ISBN: 0-8493-2211-1 John Wylder
ISBN: 0-8493-2041-0
Information Security Architecture: An Integrated Approach
to Security in the Organization, Surviving Security: How to Integrate People, Process,
Second Edition and Technology, Second Edition
Jan Killmeyer Tudor Amanda Andress
ISBN: 0-8493-1549-2 ISBN: 0-8493-2042-9
Information Security Fundamentals Wireless Security Handbook
Thomas R Peltier; Justin Peltier; John A Blackley Aaron E Earle
ISBN: 0-8493-1957-9 ISBN: 0-8493-3378-4
AUERBACH PUBLICATIONS
www.auerbach-publications.com
To Order Call: 1-800-272-7737 • Fax: 1-800-374-3401
E-mail: [email protected]
AU2244_C000.fm Page iii Thursday, November 16, 2006 2:22 PM
C
RISIS
M
ANAGEMENT
P
LANNING AND
E
XECUTION
E S. D
DWARD EVLIN
F R L. A
OREWORD BY ICHARD RNOLD
Boca Raton New York
Auerbach Publications is an imprint of the
Taylor & Francis Group, an informa business
AU2244_C000.fm Page iv Thursday, November 16, 2006 2:22 PM
Auerbach Publications
Taylor & Francis Group
6000 Broken Sound Parkway NW, Suite 300
Boca Raton, FL 33487-2742
© 2007 by Taylor & Francis Group, LLC
Auerbach is an imprint of Taylor & Francis Group, an Informa business
No claim to original U.S. Government works
Printed in the United States of America on acid-free paper
10 9 8 7 6 5 4 3 2 1
International Standard Book Number-10: 0-8493-2244-8 (Hardcover)
International Standard Book Number-13: 978-0-8493-2244-0 (Hardcover)
This book contains information obtained from authentic and highly regarded sources. Reprinted
material is quoted with permission, and sources are indicated. A wide variety of references are
listed. Reasonable efforts have been made to publish reliable data and information, but the author
and the publisher cannot assume responsibility for the validity of all materials or for the conse-
quences of their use.
No part of this book may be reprinted, reproduced, transmitted, or utilized in any form by any
electronic, mechanical, or other means, now known or hereafter invented, including photocopying,
microfilming, and recording, or in any information storage or retrieval system, without written
permission from the publishers.
For permission to photocopy or use material electronically from this work, please access www.
copyright.com (http://www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC)
222 Rosewood Drive, Danvers, MA 01923, 978-750-8400. CCC is a not-for-profit organization that
provides licenses and registration for a variety of users. For organizations that have been granted a
photocopy license by the CCC, a separate system of payment has been arranged.
Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and
are used only for identification and explanation without intent to infringe.
Library of Congress Cataloging-in-Publication Data
Devlin, Edward S.
Crisis management planning and execution / Edward S. Devlin.
p. cm.
Includes bibliographical references and index.
ISBN 0-8493-2244-8 (alk. paper)
1. Crisis management. I. Title.
HD49.D483 2006
658.4’056--dc22 2006048419
Visit the Taylor & Francis Web site at
http://www.taylorandfrancis.com
and the Auerbach Web site at
http://www.auerbach-publications.com
AU2244_C000.fm Page v Thursday, November 16, 2006 2:22 PM
CONTENTS
Foreword...................................................................................................................xv
Preface.....................................................................................................................xvii
About the Author.....................................................................................................xxi
1 The Crisis Management Plan — What Is It?..............................1
1.1 Introduction.............................................................................................1
1.1.1 Plan Should Be Inclusive...........................................................2
1.1.2 Plan Viability................................................................................3
1.1.3 When Did the Concept Start?.....................................................4
1.2 What Is a Crisis?......................................................................................4
1.2.1 The American Red Cross............................................................5
1.2.2 “Opens the Door” Effect............................................................7
1.2.3 Cook County Administration Building, Chicago, Illinois.........8
1.3 Types of Crises........................................................................................9
1.3.1 Nonphysical Damage Crises: Definition and Examples.........10
1.3.1.1 Product Issue: Credibility...........................................10
1.3.1.2 Product Issue: Defective............................................11
1.3.1.3 Product Issue: Safety..................................................11
1.3.1.4 Product Issue: Tampering..........................................12
1.3.1.5 Negative Public Perception of Your Organization....13
1.3.1.6 Market Shift.................................................................13
1.3.1.7 Financial or Cash Problem.........................................14
1.3.1.8 Industrial Relations Problem......................................14
1.3.1.9 Adverse International Event.......................................15
1.3.1.10 Workplace Violence...................................................16
1.3.2 Physical Damage Disasters: Examples.....................................17
1.3.2.1 Earthquake..................................................................17
1.3.2.2 Tornado.......................................................................18
1.3.2.3 Flood............................................................................19
1.3.2.4 Hurricane.....................................................................19
1.3.2.5 Fire...............................................................................21
1.3.2.6 Leak.............................................................................21
v
AU2244_C000.fm Page vi Thursday, November 16, 2006 2:22 PM
vi (cid:2) Crisis Management Planning and Execution
1.3.2.7 Power Outage.............................................................22
1.3.2.8 Bombing......................................................................23
1.3.2.9 Arson............................................................................24
1.4 How to Determine Which Crises Could Strike Your Company........25
1.4.1 Analyze the Threats..................................................................26
1.4.2 Predictability..............................................................................26
1.4.3 Frequency..................................................................................26
1.4.4 Crises That Could Be Missed...................................................27
1.4.4.1 Crisis Caused by a Supplier or Vendor: Examples...27
1.4.4.2 Crisis Caused by a Bad Exercise: Examples............28
1.4.4.3 Crisis Caused by the Action of an Employee:
Examples.....................................................................29
1.4.4.4 Crisis Caused by the Action of the
Human Resources Department: Examples...............30
1.4.4.5 Crisis Caused by the Actions of the News Media:
Examples.....................................................................30
1.4.4.6 Crisis Caused by an Owner Liability Issue:
Examples.....................................................................31
1.4.4.7 Crisis Caused by an Industrial Espionage Incident:
Examples.....................................................................32
1.4.4.8 Crisis Caused by the Unexpected Death of CEO,
or of a Number of Senior Executives: Examples....33
1.5 Why Companies Need a Crisis Management Plan.............................34
1.5.1 News Media Can Make or Break You....................................37
1.6 Preventing a Crisis from Occurring.....................................................39
2 Business Continuity Planning: What Is It?..............................43
2.1 How Does the Crisis Management Plan Fit into the
Business Continuity Plan?.....................................................................43
2.1.1 The Prevention Element: Introduction....................................44
2.1.1.1 The Risk Management/Risk Analysis Process..........46
2.1.1.2 The Security Plan........................................................52
2.1.1.3 The Facilities/Building Engineering Plans................55
2.1.2 The Emergency Response Plan................................................61
2.1.2.1 The Incident Response Plan......................................62
2.1.2.2 The Life Safety Plan...................................................65
2.1.2.3 The Damage Assessment Plan...................................70
2.1.3 The Business Resumption Plan................................................73
2.1.3.1 The Information Technology-Disaster
Recovery Plan.............................................................74
2.1.3.2 The Business Unit’s Business Resumption Plan......76
2.1.3.3 The Crisis Management Plan.....................................81
2.1.4 History of Business Continuity Planning.................................84
2.1.4.1 Contingency Plans, 1965............................................85
2.1.4.2 The Fire in Hawthorne, New York, 1972:
The Incident That Changed the Scope from
Contingency Plans to Disaster Recovery Plans........87
AU2244_C000.fm Page vii Thursday, November 16, 2006 2:22 PM
Contents (cid:2) vii
2.1.4.3 The Fire in Philadelphia, Pennsylvania, 1978..........89
2.1.4.4 Fire in Minneapolis, Minnesota, 1982.......................90
2.1.4.5 Bombing in New York City, 1993............................92
2.1.4.6 Bombing in Oklahoma City, Oklahoma, 1995.........95
2.1.4.7 The Millennium Change (Y2K), 2000.......................96
2.1.4.8 The Terrorist Attack on the World Trade Centers
in New York City........................................................99
2.1.4.9 Business Continuity Plan: Reassessment.................101
3 Stages of a Crisis......................................................................107
3.1 Introduction.........................................................................................107
3.1.1 The Pre-Crisis Stage................................................................107
3.1.2 The Acute-Crisis Stage............................................................108
3.1.3 The Post-Crisis Stage...............................................................108
3.2 The Pre-Crisis Stage............................................................................108
3.2.1 What Is the Pre-Crisis Stage?..................................................108
3.2.2 When Someone Discovers a Potential Crisis Developing,
What Should They Do?...........................................................110
3.2.3 Pre-Crisis Actions Taken.........................................................110
3.2.4 Organizations Apparently Are Very Effective in
Managing Pre-Crisis Situations...............................................110
3.2.5 Why Do Crises Move from the Pre-Crisis Stage to the
Acute-Crisis Stage?...................................................................110
3.2.5.1 Underestimate...........................................................111
3.2.5.2 Overestimate.............................................................112
3.2.5.3 Not Aware.................................................................113
3.2.5.4 Intentionally Ignore the Warning............................114
3.2.6 Some Pre-Crisis Warnings Are Obvious,
While Others Are Not So Obvious........................................118
3.2.6.1 Sprinklers...................................................................118
3.2.6.2 Fires during Renovations.........................................120
3.2.6.3 Workplace Violence.................................................121
3.2.6.4 Many Pre-Crisis Warnings Are Either Missed or
Ignored by the EMT..................................................122
3.2.7 Why Is Crisis Management Important?..................................124
3.2.7.1 Look for the Pre-Crisis Warning..............................125
3.2.7.2 Executive Has Missed the Warning........................125
3.2.7.3 Could Our Product Be Harming Our Customers?...125
3.2.8 What Is the Pre-Crisis Stage?..................................................126
3.2.8.1 Apparently Organizations Are Very Effective in
Managing Pre-Crisis Situations.................................127
3.2.8.2 Why Do Crises Move from the Pre-Crisis Stage
to the Acute-Crisis Stage?.........................................127
3.3 The Acute-Crisis Stage........................................................................127
3.3.1 When? — After the Crisis Is Known Outside the
Organization............................................................................128
3.3.2 Result: Managing May Be Weakened....................................129
AU2244_C000.fm Page viii Thursday, November 16, 2006 2:22 PM
viii (cid:2) Crisis Management Planning and Execution
3.3.3 Disgruntled Employees Attempt to Take Revenge:
Examples..................................................................................129
3.3.4 Product (or Services) Come under Attack: Examples..........130
3.3.5 Creditors Become Concerned and Want to Be Satisfied:
Examples..................................................................................131
3.3.6 Shareholders Are Concerned and Begin Dumping
Their Stock: Examples............................................................134
3.3.7 Damage to a Company’s Reputation Can Have Serious
Consequences: Examples........................................................136
3.3.8 Managing the Organization Becomes Difficult.....................137
3.3.8.1 Problem: Loss of Personnel.....................................138
3.3.8.2 Loss of Key Employees............................................139
3.4 The Post-Crisis Stage...........................................................................140
3.4.1 How Long Will This Last?......................................................140
3.4.1.1 Take Notes................................................................141
3.4.1.2 Guilt by Association.................................................142
3.4.1.3 The Worst Example of a Crisis Will Not Go Away...142
3.4.1.4 Learn from Other Crises...........................................143
3.4.2 Evaluating the Organization’s Handling of the Crisis..........143
3.4.2.1 Evaluating the Organizations’ Handling of the
Crisis — Objective: Recoup Losses.........................143
3.4.2.2 Evaluating the Organizations’ Handling of the
Crisis — Objective: Show Consumers You Care
about What You Did to Them.................................147
3.4.2.3 Evaluating the Organization’s Handling of the
Crisis — Objective: What Are You Doing to
Prevent This from Happening Again......................149
3.4.2.4 Evaluating the Organization’s Handling of the
Crisis — Objective: Organizations Are Too
Weakened to Continue Operations.........................151
3.4.2.5 Evaluate the Organization’s Performance
during the Crisis — Objective: Investigations........153
3.4.2.6 Evaluating the Organization’s Handling of the
Crisis: Investigations.................................................155
3.4.2.7 Evaluating the Organization’s Handling of the
Crisis: Change Is Needed.........................................158
4 Steps in Managing a Crisis......................................................161
4.1 Introduction.........................................................................................161
4.1.1 Take Charge Quickly..............................................................162
4.1.1.1 Activate the Crisis Management Team....................163
4.1.1.2 Establish the Crisis Management Command Center...163
4.1.1.3 Identify the Person Who Will Manage the Crisis....165
4.1.1.4 Let People within Your Organization Know
Who the Crisis Manager Is.......................................166
4.1.1.5 Take Charge Quickly — Before the
Organization Weakens.............................................166
AU2244_C000.fm Page ix Thursday, November 16, 2006 2:22 PM
Contents (cid:2) ix
4.1.2 Establish the Facts...................................................................171
4.1.2.1 Facts Not Completely Known..................................171
4.1.2.2 Information Tainted..................................................171
4.1.2.3 Gather Information: Use Crisis Communications
Team Members..........................................................172
4.1.2.4 Prepare Your Story...................................................172
4.1.2.5 Get and Give Facts as Early as Possible................172
4.1.2.6 Difficulty in Getting an Accurate Story out Quickly...172
4.1.2.7 Inaccurate Information.............................................174
4.1.3 Tell Your Story........................................................................175
4.1.3.1 Spokesperson: Who Should Be the Spokesperson?...175
4.1.3.2 Make Contact with the Media.................................176
4.1.3.3 Dealing with the Media...........................................177
4.1.3.4 Make Contact with the Employees.........................179
4.1.3.5 Make Contact with the Customers..........................180
4.1.3.6 Make Contact with the Shareholders or Investors....182
4.1.4 Fix the Problem.......................................................................184
4.1.4.1 Recoup Losses...........................................................185
4.1.4.2 Make Any Changes That Were Identified as
Being Needed...........................................................187
5 The Executive Management Team..........................................191
5.1 Introduction.........................................................................................191
5.1.1 The Executive Management Plan...........................................191
5.1.2 Who Are the Members of the Executive Management
Team?.......................................................................................192
5.1.3 Is There a Predefined List of Executives Who
Comprise the EMT?.................................................................192
5.1.4 Do Organizations Not Already Have an Executive
Management Team?.................................................................194
5.1.5 What Do They Do When They Are Made Aware of a
“Developing Situation”?...........................................................194
5.1.5.1 What Does the Executive Management Team Do?...195
5.2 EMT Role during the Pre-Crisis Stage...............................................195
5.2.1 Remove the Threat..................................................................196
5.2.1.1 Avoid the “Opens the Door” Crisis........................196
5.2.2 Look for the Pre-Crisis Warning............................................199
5.2.2.1 Warnings Missed.......................................................200
5.2.3 Seek the Support of Outside Consultants.............................202
5.2.3.1 Selecting an Outside Consulting Firm....................202
5.2.3.2 Outside Consulting Firms and Specialists...............203
5.3 EMT Role during the Acute-Crisis Stage...........................................205
5.3.1 How Does the EMT Allow a Pre-Crisis Situation to
Move to an Acute Crisis?........................................................206
5.3.2 Activate and Empower the Crisis Management Team to
Take Action..............................................................................207
5.3.2.1 Support the Crisis Management Team....................208
