To ensure an effective outcome can be consistently achieved, two core questions must be answered Are crisis management and response capabilities resourced, trained, exercised, and continuously available for use? and Are mechanisms in place to effectively monitor and communicate changes within the organizational process risk profile? The level of effort and leadership focus the organization commits to managing and communicating changes within the risk profile will largely define response effectiveness and set the conditions for all that is to follow.

Crisis Capabilities

Crisis is a cascading series of events for which there is no preplanned mitigation. An organization can best prepare for crisis by developing and refining its processes used to communicate and implement ad hoc mitigation strategies. There are two components to crisis management: organizational and operational. Organizationally, resources and support from executive leadership are required to develop the policies, plans, and procedures needed to establish a crisis management capability. Operationally, these capabilities need ongoing training, exercises, after action reviews and improvement plans to achieve and maintain response effectiveness. These skills are refined by focusing on a feedback loop to identify best practices, overcome lessons learned and reinforce the trust and confidence of stakeholders.

The manner and means in which the feedback loop is applied (throughout the planning, implementation, and post-plan continuum) demands timely and precise adjustments. These adjustments require relative risk be assessed and monitored for changes in the risk profile which aids crisis avoidance. However, some choose to limit their actions by mitigating obvious risk, accepting best practices from other organizations, and assuming since no incidents have occurred, relative risk is adequately mitigated. This methodology (defined by iJET as Spurious Risk Management) creates the dangerous illusion that risk has been sufficiently addressed while unknowingly creating an opportunity for significant peril.

Operational environments are evolving into increasingly complex networks of interdependent assets performing at an escalated pace. Thus, the organizations ability to respond to crisis is paramount to the protection of assets; while preparation, monitoring, response, and recovery planning are reconciled as the organization changes direction or expands. Moving crisis management from a capability to demonstrated effectiveness allows the organization to maintain the balance between proactive and reactive response efforts. This provides the operational agility necessary to pursue opportunities based on stakeholder demands and the evolutionary pace of the organizations industry. Effective crisis management enables the organization to respond to disruptions that cannot be predicted and to industry events affecting assets in an environment where formal risk mitigation capability has yet to be developed. Once achieved, this capabilitys level of effectiveness is measured by the feedback derived from drills, exercises, and after action reviews (AARs) of actual events. This process provides the knowledge and experience needed for effective crisis management. The output from these initiatives builds stakeholder trust by collectively demonstrating the attainment of crisis management and response competencies. These competencies translate into confidence when a crisis occurs. As crisis is a dynamic condition where preplanned mitigation or response capabilities are exceeded, it is paramount those involved in crisis response fully understand the organizational span of control, areas of influence, and the environmental canvas – (Figure 1).

These dynamics ultimately dictate the levels of success and failure:

Span of Control The location and resources the organization has the authority to directly control to reduce or inhibit the stressors impact on an organizational asset or operation.

Area of Influence The location and resources the organization can directly influence the actions, or an ability to act, to reduce or inhibit the stressors impact on the organizations asset or operation.

Environmental Canvas Conditions in relation to time, place, and purpose where an organization and its assets operate, or desires to operate. (This dictates the proactive mitigations for foreseeable stressors as well as the reactive resources required to return to normalcy when preplanned mitigations are exceeded.)

These dynamics also directly affect efforts to achieve stakeholder demands. This requires the organization to have the capability to monitor for changes in the risk profile. To leverage this capability, the organization must first set clear parameters so the monitoring asset initiating the notification of change understands the mitigation threshold has beenor is about to be, exceeded.

Monitoring Change

Historically, shifts in an organizations risk profile are attributed to changes in a potential disruptors presence or intensity. While there may be an effective plan to address these changes, monitoring is a critical component. Without this capability, changes in the risk profile could unknowingly surge beyond the capabilities of proactive mitigation strategies. This can lead to cascading effects that impact life safety, organizational assets, and degrade the performance of essential functions. Effective monitoring provides the awareness needed to proactively address deviations in stressor characteristics at the lowest possible level of intensity. This provides time to mitigate residual vulnerabilities that were accepted; and thus, preclude the opportunity for crisis. In conditions where the stressor presents with a sudden onset, effective monitoring improves the ability to inhibit or limit the degree of impact the stressor exerts upon the asset or operation.

However, some organizations profess a consistent level of monitoring for crisis has been achieved without providing the requisite evidence to demonstrate its effectiveness. In the RIMS Executive Report, Exploring Risk Appetite and Risk Tolerance, the authors present the financial crisis of 2008-09 contains examples of those who knowingly or unwittingly accepted significant risk which led to severe consequences. In the post mortem, many organizations were found to have used spurious risk management practices in developing their risk appetite statements. While those risk managers appeared to know the tactics for managing risk, their lack of understanding its precepts created inaccuracies in risk acceptance at the individual, departmental, and enterprise levels. Spurious risk management, at its core, accepts unanalyzed risk factors or incomplete risk forecasts in shaping and sustaining the organization and its operations.

As with all major crises, the 2008-09 financial crisis renewed public and private sector interest in monitoring risk management activities. Performing these actions are well-founded and advised to leverage the organizations capacity to deliver products and services. Unfortunately, many still fail to acknowledge the fact that risk is neverstatic and its management is an evolving organizational process, not a one-time event. When assessing an organization for indications of spurious risk management, the primary characteristics are: addressing only low hanging fruit, adopting a once and done mindset, and the inability to adequately characterize the environmental canvas (e.g. the arrangement of assets and resources in time, place, and purpose).

There is another aspect often underrepresented in receiving the attention warranted; evaluating an organizations remaining capacity to handle unforecasted risk and/or stressors is a key factor in measuring organizational resilience given current efforts and operating tempo. More specifically, without the means to monitor risk capacity, the likelihood of an event whose magnitude and severity will lead to crisis is significant. Monitoring this condition ensures the organization maintains the mitigations necessary to hold or improve its risk position within the goals it desires to pursue. Further, this activity enables the likelihood the organization can sustain its essential functions and mount an effective response should the need arise to return a disrupted asset or operation to a state of normalcy.

Effective Response

An effective response limits the impact imposed by the initial disruptor. The primary objective is to separate the impacted asset or operation from the stressor. To achieve this, effective communications are essential. Initial communications advise how the asset or operation is being affected by the disruptor, who is being impacted, and to what extent. Accurate follow-up communications are key to avoid the unnecessary expenditure of resources, control the flow of information, and reduce fears and tension by answering unknowns in a timely manner. To prioritize resources and sequence the response, continuously assess the situation using the following model – (Figure 2).

Figure 2 Continuous Assessment

When assets or operations are impacted to a degree that exceeds existing protective measures, crisis response must analyze the risk profile, develop a plan to separate the asset or operation from the stressor, and allocate the requisite resources to ensure successful mitigation. As crisis is defined as a series of such activities, response must periodically review the progress of mitigation efforts, determine the level of effectiveness, and then reassess any assets whose risk profile remains at an unacceptable level. Once all assets have been separated from the stressor, the response is concluded.

Conclusion
Crisis, by its nature, brings ad hoc response. Creating a proactive environment, developing interoperability, maintaining resources, and constantly monitoring the risk profile collectively reduces response times and limits cascading effects. Speed must be balanced with deliberate decision-making. Unwarranted acceleration can lead to unnecessary risk, reduce stakeholder confidence, and require additional resources. The development of a crisis management and response capability, establishing it as a budgeted line-item, and routinely evaluating its effectiveness will go far in securing stakeholder trust and solidifying confidence that the organization can respond to crisis effectively.

The answer is not black and white, and the circumstances surrounding the criminal activity must be examined.  In determining whether or not a business owner is responsible for the criminal acts of third parties, courts in most states will look at whether or not the crime was foreseeable.  If the crime was foreseeable, then the second step is whether or not the business owner took reasonable steps to protect her customers from these foreseeable crimes.

Whether or not a crime is foreseeable will depend upon several factors, including 1) whether there have been similar crimes on the premises that would put the business owner on notice that these types of crimes have occurred or are occurring; 2) the frequency of crimes on the premises; 3) the time lapse between the last reported crime and the current one; 4) whether any additional security measures where implemented from the time of the prior criminal activity to the new one; and 3) whether the area is known as a high crime area.

Attorneys representing victims of crimes occurring on a business owner’s premises will assuredly contact the police department to identify all criminal activity that has occurred in the past on both the premises at issue as well as the surrounding area.  The victim’s attorney will then likely argue that the business owner was negligent in its security, failed to monitor criminal activity, and failed to protect its customers from crimes.

In response, the business owner will need a strong defense to counter that the crime committed was not foreseeable, and that the security measures in place were adequate.  Although laws vary from state to state, if the business owner can establish that the type of criminal activity that occurred was not foreseeable, then the owner should escape responsibility for injuries and damages resulting from the crime committed.

The bottom line is to remain vigilant with security, do not ignore reported crime on your premises, and contact an attorney in your state if you have questions or require legal advice.

Originally published on Monday, 04 November 2013
1260 views at time of republishing

Families save hard-earned dollars looking forward to an upcoming vacation or get-away. Our basic demands are few but fundamental. The experience must be safe and it must be fun. One individual’s unhappiness can often be remedied with an apology, a promise to make improvements, or a complimentary amenity. However, constant national news coverage reporting on hundreds of ill cruise ship passengers represents a hemorrhaging that is not easily stopped.

On January 21, 2014, Royal Caribbean’s Explorer of the Seas departed for what was scheduled to be a 10-day cruise. Within days, passengers and crew developed symptoms of the norovirus. By the time the ship docked in New Jersey eight days later, the whole world knew about the hundreds of sick passengers, ruined honeymoons, inspections by the Centers for Disease Control, and the general public asking whether a cruise ship is a “floating petri dish.”

This story line is not new. The headline over Memorial Day weekend in 2013 was the Carnival Triumph “dead in the water” following an engine room fire during a four-day trip from Texas to Mexico. There, reports of food shortages, raw sewage and tent cities on the deck quickly became the lead story on the national news. After the ship was towed to dry land, passengers were willingly photographed kissing the ground and telling their individual stories of horror. The first lawsuit was filed within hours of the last passenger disembarking, describing the ship as a “floating hell.”

In each case, every action and alleged inaction by the cruise company was under a microscope. In the case of the Explorer of the Seas, passengers were confined to their cabins for days and reports quickly surfaced that there may have been more than 1,000 sick passengers and crew—hundreds more than initially reported. In the case of Triumph, the free alcohol meant to appease passengers reportedly had the opposite effect. And once on land, a chartered bus reportedly broke down and a chartered flight was delayed due to an electrical failure. In both cases, passengers are interviewed on the national news, proudly declaring that they will never step foot on a cruise ship again.

Despite this, the cruise industry and the passengers onboard these ships are fortunate in many respects. In both cases, the ships themselves sustained limited physical damage and in neither case was a fatality or life-threatening injury reported. However, the cruise industry relies on the public perception that cruising is fun and safe, and that the experience largely outweighs the remote likelihood of an accident or outbreak. The cruise industry surely wants to avoid legal battles with its passengers. But the industry surely needs to avoid a public relations disaster.

All companies must be zealous about protecting their public image, both before and after a crisis. Crisis management insurance provides companies the financial flexibility to respond appropriately to a public relations issue. A crisis management policy generally obligates the insurer to advance the costs associated with responding to an event such as a man-made disaster or the contamination of foods, beverages or pharmaceutical products. This coverage is available to the insured regardless of fault. A crisis event is should include any occurrence that, in the good faith opinion of the insured, will result in damages if crisis management services are not utilized, as well as where the insured anticipates significant adverse media coverage. Crisis management services are those services performed by a crisis management firm, including advising the insured on how to minimize potential harm, and maintain or restore public confidence in the insured. The policy also covers medical and funeral expenses, psychological counseling, travel and temporary living expenses, expenses to secure the scene, and any other expenses pre-approved by the insurer. The future success of the cruise industry may depend on how quickly the public forgets the fact that the most recent incident may be the largest norovirus outbreak on a cruise ship in two decades.

As with any type of insurance, the scope of crisis management coverage depends on the precise terms of the particular policy. Companies should review their crisis management policies— both when purchasing them and when making claims for coverage.

Finally, keep the following tips in mind to get the most out of your crisis management coverage:

• Make sure that the policy meets your coverage needs. Communicate your coverage expectations to your insurance broker because some crisis management policies are narrower than others.
• To avoid coverage disputes, make sure that the policy’s definition of “crisis” is  sufficiently broad. Since the concept of “crisis” is subjective, the policy should be tailored to define that term broadly enough to capture any event that your company believes may damage its reputation. In addition, the insurer may attempt to limit or pre-select the crisis management and/or public relations firms available to the company. If the company has a firm or representative that it would use in the event of  a crisis, it should be communicated to the insurer before the coverage is purchased.
• When making a claim for coverage, strive to satisfy all conditions in your policy. To avoid complicating your claim, carefully assess all policy conditions-  particularly timing-related conditions that may purport to impose deadlines on when your company must give notice of a claim, submit a proof of loss, or initiate litigation against the insurer. Also be aware of conditions requiring certain individuals to become aware of the coverage-triggering occurrence that gives rise to the crisis event.